After years of patchwork privacy and data handling rules causing headaches across the various nations of the European Union, the EU passed the General Data Protection Regulation (GDPR) in 2016 to make things easier across all member states. The GDPR aims to protect the data of all EU residents and make it easier for organisations to understand and comply with data protection rules. Though the GDPR was officially adopted in 2016, its formal implementation date is May 25, 2018, giving member states about two years to ramp up their preparations to comply.
Organisations do not need to be located within the EU to be accountable, if you handle the personal data of any EU citizen, you will need to comply with the General Data Protection Regulations or risk being hit with hefty fines—up to 4% of your company’s annual revenue or up to €20 million, whichever is higher.
Key Points of the GDPR
Privacy By Design: The aim of the GDPR is to protect the Personal Data of EU citizens, including data such as their name, email address, financial or medical details, and even their IP address. As such, a key component of the GDPR is building in privacy from the start in all systems—called Privacy By Design—provided by default for all end users.
Data Custodianship: In addition, better data custodianship rules are also part of the General Data Protection Regulation. The regulations dictate that organisations should only keep the data they absolutely need for only as long as they need it. Once that data is no longer required, the data should be destroyed or anonymised.
Right To Erasure: Building off the “right to be forgotten” concept introduced in a 2006 lawsuit against Google, the GDPR includes a right to erasure. This means that users can request for their Personal Data to be deleted from an organisation for any number of reasons, including suspected non-compliance with the GDPR. Additionally, explicit consent, which must be given freely, is required for the processing of Personal Data, and organisations must provide users with the same ease of consent withdrawal should the user wish to do so.
Breach Notification Requirements: Along with the requirements around keeping users’ data safe, the GDPR also includes mandatory and stringent data breach notification rules. In the event of a data breach of Personal Data, the breach must be reported to the Supervisory Authority of the EU member states affected within 72 hours of the breach’s discovery. Depending on the severity of the data breach, the organisation may also need to notify the affected users as well.
Considerations for Becoming GDPR Compliant
Understand your network and the scope of the data you have
Make sure you have a grasp on your ecosystem and the scope of the data your organisation holds: who has access to it, and what kind of data is it? Once you have an idea of the scope, you can start to implement access limits and monitoring to make sure there’s no unauthorised access.
Assess the strength of controls and programs
You’ll want to test and assess the efficacy of any critical security controls and programs currently in place—not just technology, but people and processes, too. Make sure to scan for vulnerabilities and weak points regularly and address any gaps.
Formalise and practice notification processes
No one wants a data breach to occur, but it’s best to be prepared for the worst-case scenario well ahead of time. Put in place a formalised data breach notification process and take it for a few trial runs, and be sure it includes incident detection and response capabilities.
|Sales:||+44 (0) 1162 438 600|
|Support Desk:||+44 (0) 1162 438 605|