Earlier this month I was at Infosec in London and a lot of the chatter was around the new European General Data Protection Legislation (GDPR). The landscape has changed with with Brexit so it will be interesting to see how this plays out in the context of the UK, but for countries still in the EU the new General Data Protection Regulation (GDPR) represents the most significant change in global privacy law in 20 years.

Why did the EU want a new law?

This regulation has been designed to replace the EU data protection directive from 1995, before the internet was used on such a wide scale. It has been designed to protect consumers and improve law for businesses in a digitised word of Internet banking, smart phones, wide spread social media and electronic transfers. With this new law companies must now take the issues surrounding data security very seriously.

Who is affected by the new EU data protection rules?

Heads of IT, management and personnel who are responsible for data protection in your organisation need to pay attention.  Just as importantly, this new legislation applies to all organisations who are conducting business in Europe irrespective of where the organisation HQ is based.

Ultimately this means that this GDPR legislation will replace the current patchwork of local laws within countries and thus make it clearer both for businesses and consumers.

Be Careful

Under this new legislation, a company can be fined 4% of annual worldwide turnover or up to €20 million, depending on the nature of the data violation.

Companies will have to appoint a data protection officer if they are handling sensitive data and they will be required to keep track data in audible fashion. Importune too note that any breaches have to be notified within 72 hours of happening.

Timelines

This officially becomes law in 2018 so your organisation has approximately two years to implement required operational changes to ensure compliance. the diagram below covers the steps required to ensure the plan is implemented in a structured manner.

While two years may seem like a lot of time, there is a significant amount of changes. This area encompasses a lot of governance and risk and the implementation can be complex for people who aren’t familiar with it. But ultimately this will help organisation to improve their overall privacy program and reduce your company’s corporate risk profile.

GDPR AT A GLANCE

• Data Breach notification within 72 hours.
• Expansion of who is subject to the regulation, who is protected by the regulation, and who is enforcing the regulation
• Data: new definitions of “personal data”, “sensitive personal data”, and the introduction of pseudonymized data processing
• Consent: consent requirements for data processing and explicit consent requirements for profiling data (i.e., analysing personal preferences or behavior)
• Individual Rights: including the “right to be forgotten” for erasure of online information and “data portability” to easily transfer data to another provider
• International Data Transfer: restrictions to personal data transfer outside of EEA
• Accountability: governance requirements such as audits and Data Protection Officers (DPOs), recognition of seals and certification programs as a route to demonstrate GDPR compliance

Smarttech Privacy Professionals

Smarttech has a team of expert data privacy experts with significant experience conducting privacy assessments. Our team broad array of skills across privacy, technology, business process, and project management experience. All  have hands-on experience working for a wide range of companies in many sectors and leverage comprehensive technology platforms in the delivery of our service. For more information, contact us today.