Compliance and data protection in the EU is changing. By May 2018 the new regulation for the protection of data within the EU will be enforced. Although this may seem some time away, the amount of work and adjustments that most organisations must undertake to reach compliance with the new General Data Protection Regulation (GDPR) is extensive. It is recommended to begin preparations as soon as possible-don’t delay!
What is the GDPR and who will it impact
The GDPR was first published in January 2012. Following 4 years of collaboration, discussions and negotiations it the new GDPR has now been established. The regulation incorporates significant changes and models revamping Europe’s Data Protection law. It will supersede the present 1995 Directive. Moreover, it is now a regulation which means that it will apply immediately to all EU Member States without the precondition for implementing a national regulation.
The 1995 Directive has enabled each EU country to apply the data protection laws as they have felt suitable and necessary resulting in a discrepancy in data security across the EU. The new GDPR seeks to stop the divergence and reinforce confidence in online security for all (organisations, their customers and clients, and citizens). Additionally, a common law in all EU countries will support the secure and liberal movement of data across EU boundaries.
Considering the ways in which the internet is utilised presently; from social media and networking to cloud computing-corporate as well as personal data is continuously being placed at risk. Everyone has the right to the protection of their personal data and the new GDPR aims to address the mounting gaps in security and assist in ensuring that the protection that everyone is entitled to is honoured.
What does it mean if you or your organisation is not based in the EU? This does not mean that the GDPR will have no impact on you or your organisation. The GDPR, although an EU regulation, has global reach.
The GDPR includes changes that will affect all organisations that process personal data of European citizens whether or not based in the EU. That being said, the regulation will have global impact and it is recommended that all organisations review their processes, policies, data handling and technologies to ensure that they are compliant. Fines for non-compliance will be substantial and will exceed 4% of annual global turnover resulting in penalties that will be significantly higher than before.
Preparation is fundamental
The enforcement of the regulation is not immediate however it is important that the groundwork is undertaken right away if compliance is to be achieved by the time the regulation is enforced. Organisations will find that there are many arduous requirements that will take time to integrate.
Presently, a multitude of organisations are re-assessing their security positions and examining their practices so that forthcoming compliance can be assured by the enforcement date.
The changes that are highlighted as most noteworthy include the heavy fines as well as the requirement to report a data breach within 72 hours. Many breaches are occurring presently that are overlooked. With the enforcement for reporting of such breaches, organisations will be scrutinised and unacceptable data handling and security will result in pronounced repercussions impacting both the finances as well as reputations of the organisations in question.
GDPR will impact the way in which organisations address data security
Significant Areas GDPR Impacts
1. Pseudonomysation and encryption of data are encouraged: The law specifically encourages data controllers and processors to implement encryption technologies to secure data.
2. Accountability and privacy by design: the data controller must take responsibility for the data if compliance is to be achieved. This includes the upkeep of documentation, the provisioning of data protection impact assessments and warranting that data protection is executed by default and design.
3. Increased territorial reach: although this is an EU regulation it will have global impact
4. Clarification on transfer of data outside of the EU: Data subjects must be informed of the risk associated with transferring their data outside the EU. The new regulation explains the data that may be transferred using standard data protection clauses.
5. Clarity on what defines personal data: no longer can the meaning for personal data be misinterpreted as the definition is coherent throughout the EU
6. Mandatory data breach notifications: Data breaches must be reported to the local regulator within 72hrs of knowledge of the breach. The organisation will need to inform the regulator of the technical safeguards that they had in place and the circumstances surrounding the breach. Data subjects must also be notified of the breach.
7. Larger penalties for non-compliance: Fines for non-compliance can be up to 4% of annual global turnover (these have escalated substantially). The penalty will depend on the amount of data lost.
8. Consent for data use: must be freely given as well as be specific, informed and unambiguous
9. Role of data processes and data controllers explained: Data processes under the new GDPR have direct obligations to ensure data is properly secured, breaches are reported and security measures are in place. Both data processes (provider or someone processing data on behalf of the organisation) and data controllers (organisation gathering data) are jointly liable for the security of the data and the loss of any data that they process.
10. The right to be forgotten and the right to access their data: Individuals can demand to access data that belongs to them and they have the right to have their data erased under certain circumstances.
Galaxkey can help!
Under Article 32, controllers and processors are required to “implement appropriate technical and organizational measures” taking into account “the state of the art and the costs of implementation” and “the nature, scope, context, and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.”
The GDPR provides specific suggestions for appropriate security actions:
• The pseudonymisation and encryption of personal data.
• The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
• The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident (72 hour obligatory period for notification).
• A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
It is important to start making the necessary changes right away. The requirement for compliance with the GDPR is inevitable and the journey to compliance will take both commitment and time.