With the deadline for the enforcement of the new General Data Protection Regulation (GDPR) fast-approaching, our August blog post answers some key questions about the new regulation and outlines important recommendations. We will look at the basics of what GDPR is, how the regulation will impact organisations and the role of IT within data protection as a whole.
1. What is GDPR?
The General Data Protection Regulation (GDPR) is a new regulation that will replace the current Data Protection Directive of 1995. It is intended to enhance and unify data protection for all individuals living in an EU member state.
2. Why is GDPR being put in place?
Currently each of the 28 EU member countries operate under their own interpretation of the Data Protection Directive (1995), the new regulation aims to:
- Give control back to citizens and residents regarding how their personal data is acquired, stored, secured and processed. It also gives citizens the right to access, challenge and amend their data.
- Replace the outdated Data Protection Directive by factoring in new technologies and emerging platforms, such as social media and cloud computing.
- Create a single unified regulation across the EU to replace the various interpretations of the previous directive.
3. What is meant by ‘personal data’?
The European Commission defines ‘personal data’ as any information relating to an individual, personal or professional. This includes: name, address, email address, financial details, posts on social networks, photographs, medical records and even an IP address.
4. Who does the regulation apply to?
- Any organisation that collects and controls personal data from EU citizens.
- Any organisation that processes data on behalf of another organisation (for example, a cloud service provider).
If your organisation is outside of the EU but collects and processes data of EU citizens, the regulation also applies. Although the UK are set to leave the EU, the UK Government have stated that the GDPR regulation will still apply to all UK based organisations.
5. What happens if an organisation fails to comply?
The financial penalty put in place is steep – a fine of 20 Million EUROS or 4% the organisation’s global turnover (whichever amounts to more).
6. What can organisations do to prepare?
There are several areas to consider when preparing for the new GDPR regulation:
- Create a role for a Data Protection Officer – applies mainly to organisations with over 250 employees that have direct involvement with the collection and processing of data.
- Implement GDPR at board level, with direct responsibilities lying with the CIO, CISO and Data Protection Officer.
- Adopt risk management tools and implement security and privacy protocols into the Operations of the organisation (for example, develop a data privacy framework).
- Be concise and clear about data that is collected, what it is, where and how it is stored, how it is accessed and where it goes.
- Be confident that data held can be securely deleted when requested.
- Carry out regular and compulsory impact assessments.
- Ensure your IT infrastructure is setup to minimise the risk of a data leak or security breach. As part of the GDPR regulation it is required to report a data breach to a supervisory authority within 72 hours.
The enforcement date of GDPR is set as 25th May 2018, it can be a daunting task to prepare and implement a plan of action, especially if internal IT resources are limited. Please contact us for a free, initial consultation regarding IT security and data protection, our consultants are available 24×7 to give advice and guidance: +44(0)1756 633 882 firstname.lastname@example.org
Sources and further reading: