The new General Data Protection Regulation of the EU will take effect on May 25th, 2018. Let us take a quick look on what this regulation is all about.
The General Data Protection Regulation is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).
Today, the field of data protection is regulated by each 28 EU member state’s own laws. GDPR aims to erase the ambiguity brought forth by this.
GDPR concentrates on four distinct fields:
- Defines personal and sensitive data
- Details how these are to be handled
- Establishes fines for non-compiance
- Sets new requirements for breach notifications
But what is GDPR all about? Rights. Rights for the EU ciztiens to have greater controll of their data (personal data and sensitive personal data):
- Consent for personal data to be shared and processed
- Right to access personal data
- Right to be forgotten
- Right to portability
- Right to recification
- Right to resist processing
- Right not to be subject of automated decission making
From these rights, maybe the most important is the one about consent. Personal data may not be shared or processed without the explicit consent of the data subject. Data subject must be advised exactly and plainly on what data will be collected and how it will be used. Consent will be required for all processed or stored data, including systems already in place. Organisations will have to work out a way to gain consent which is fair, lawful and allowed.
With the new rights becoming law, organisations have to ask themselves; does this apply to me or not? This is best answered by a qualified lawyer, but in short: any data that represents an EU citizen has to meet the requirements, it does not matter where the data is stored or accessed from.
If an organisation is in the scope of GDPR, it may have to:
- Appoint a data protection officer (> 250 employees)
- Appoint reprezentative inside EU
- Review data collection procedures
- Create data protection awareness program for employees
- Perform initial and ongoing information audits
- Complete Data Protection Impact Assessments
To enforce compliance, the regulation opens the possibility for high fines.
- 2% of annual global revenue, or 10 million euro (w/e is higher).
- Data breaches
- Not employing DPO (when it would be needed)
- Not conducting DPIA (Data Protection Impact Assessments)
- Not keeping appropriate records
- 4% of annual global revenue, or 20 million euro (w/e is higher).
- Failing to gain consent
- Not upholding customer rights
- Moving data outside the EU
Of course these are only the maximal possible fines, their enforcement will be proprotionate. However non-compliance will have other impacts as well, such as damage to the company’s reputation and lost consumer trust.
Guides have been created and published for companies that detail the steps they should take to gain compliance. In general, they expect the companies to map what data they have, check if their processing is fair, lawful and allowed, remove any unneded data (data minimazation), create a procedure for consent handling, recognize the rights granted to individuals, create risk assasment from the data subject’s perspective, reduce risks, have incident response plan, host security awareness trainings for employees; finally, do all this (and more) before May 25th, 2018.
A quick way to gain first impressions on your company’s compliance level is to use self assessment form proviced by ico., which can be found here: http://www2.infosecinstitute.com/GDPR-Readiness
Keep Calm and Prepare for GDPR!
GDPR Compliance: What You Need to Know Before May 2018
Let’s Cut The Crap On GDPR by Carl Gottlieb
Virtual Session: GDPR without the Hype