The new General Data Protection Regulation (GDPR) created by the European Commission and European Parliament will be officially applicable starting on May 25, 2018.
Due to the evolution by which end users process and consume data, the need for a new regulation was apparent as previous regulations such as the 1995 EU Data Protection Directive as well as the Data Protection Act 1998 were deemed insufficient to protect the sensitive personal information of individuals entrusted to data controllers.
As a result, organisations need to pay greater attention to their Cyber Security and data protection policies, to ensure they match GDPR requirements.
Here are few things to know about the GDPR and how it applies to you.
1: Why the GDPR was Drafted
Although the current legislation was enacted before the internet, newer technologies such as social media and cloud computing have raised the bar in terms of the amount of data we consume, as well as ways these data can be exploited.
And although much of the GDPR codifies existing guidance from already established data protection laws, the changes being introduced are intended to actuate a new mindset and culture shift about the use and security of data.
Bearing in mind top companies such as Facebook at their discretion use customer data for their services, the GDPR was drafted to give people more control over the use of personal information.
With the emergence of the digital economy, the GDPR seeks to strengthen data protection regulations by introducing stricter enforcement measures.
2: Who is Impacted?
One of the most crucial things for organisations to note is that the GDPR applies to them as long as they control and process the personal data of EU citizens within and outside the EU irrespective of the organisation’s physical location.
Chapter 1, article 4 of the GDPR defines the role of data controllers and data processors as:
Controller: “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”
Processor: “means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”
A controller could be a business organisation, an NGO or the government, while a processor could be an IT or audit firm doing the actual processing of data.
3: How Ready are You for GDPR?
As the official implementation of the GDPR draws close, with about seven months left; preparations for compliance should be in top gear.
Under the regulation, companies processing a considerable amount of data will be required to appoint a Data Protection Officer (DPO) who will advise on how best to prepare.
Companies will need to identify all personal data on their books, determine the reasons for holding such data and access how they are stored.
Where minors are involved, age verification before data collection should be standard procedure. Also, companies are mandated to obtain parental consent for data collected about their wards.
High-risk activities like data processing are prone to data leaks and identify theft. Therefore companies are expected to conduct regular Data Protection Impact Assessments (DPIA) to identify ensuing risks and develop plans to mitigate them.
4: What to do in Case of a Data Breach
Although most enterprises have laid-out procedures for dealing with Cyber Security threats; these methods must be reviewed under the scrutiny of the GDPR.
The GDPR brings with it new, mandatory breach notifications which attract heavy fines for defaulters. Once a data breach is detected, companies will have a 72-hour window to report it to the corresponding Supervisory Authority or risk penalties of up to €10, 000, 000 or 2% of their annual worldwide revenue (whichever is higher.)
Although the deadline is tight, if the breach is in the category of identity theft, then the affected individuals should be informed even before the Supervisory Authority is called.
5: Key Steps to Compliance
Nineteen months ago when the GDPR was initially drafted in April 2016, the best advice was to start preparations early. With less than seven months to go for full implementation on 25 May 2018, most organisations will not be GDPR complaint.
However, our FREE no obligations GDPR awareness questionnaire will expedite your preparation as it was drafted to help late implementers achieve compliance status in as little time as possible.
We will review your Cyber Security technology as well as data protection policies to check if they meet GDPR requirements.
Further, organisations need to understand the classification of the data they control, process and store as well as the legal basis for this.
The data protection policies of third-party suppliers that count as data processors must be checked to see if they comply.
Reviewing your data security policies and getting them into shape will be the first step in avoiding GDPR fines for lacklustre security measures.