The data protection and data security landscape is all set to change next year with the advent of the new EU General Data Protection Regulation (GDPR). The GDPR is not all good news. But it is not all bad news either. Many of the organisations we work with are using the GDPR to bring some focus to what they do and improve their security stance.
The new rules are part revolution and part evolution. In many ways, the new system builds on the current one, so if you already comply with current EU data protection laws you can build on those foundations. It is important to take a risk-based approach and plan properly, but you also need to be realistic. There is just a year left before the GDPR takes effect, and if you have been slow to act, you cannot afford to delay getting up to speed. The team at Cordery has been working on GDPR projects since the first draft came out in 2012. GDPR is a long document but here are some of our highlights:
Security Breach Reporting
There is not much change to the obligations organisations have to keep personal data secure. However, one of the most important changes is the mandatory reporting of security breaches.
Breaches must generally be reported to a regulator within 72 hours, and those affected by the breach must usually also be informed. To do this you must have clear, practical, effective and speedy procedures in place. You will also need to get your vendors and suppliers on board – because this is business critical, you cannot afford to get it wrong.
The GDPR has wider extraterritorial reach. The new rules will apply to all those in the EU who control data and/or undertake data processing. They will also apply to businesses outside the EU who target EU data subjects, even if they don’t take payment from people within the EU. Unlike some US legislation the rules don’t just apply to health and financial data – all sectors and all types of personal data are covered.
There Are New Rights for Individuals
New rights are being introduced and existing ones tweaked, including:
- A new Right to Data Portability;
- An extended Right to Be Forgotten (called the Right to Erasure);
- A beefed-up Subject Access Right – to be free and with a shorter time to reply.
Data Protection Impact Assessments (DPIAs)
DPIAs will have to be undertaken for many data processing operations.
DPIAs put the compliance assessment burden on those handling personal data – but are used as a wider tool to help get a better handle on your data processes and reduce risk. This should help you build privacy and security into the heart of what you do. This might be the chance for information security teams to get involved in projects at an earlier stage, and for them to be more recognised by management as a valuable part of the process. Information security teams should build their knowledge of the DPIA process and work out how they can add value. There is no set format to a DPIA, but the key aspect is to pick a process that is simple to understand and helps you quickly identify and address the real risks.
Increased enforcement will come about with the new regime, backed up by greater sanctions.
There are fines of up to €20 million or four per cent of the global annual revenue of a business (whichever is greater), with a likely result of higher reputational damage and the possibility of civil actions too. This is the big stick for data protection compliance, but getting it right will pre-empt major headaches. To add to the potential consequences, civil actions are becoming more likely following a breach.
What Do You Need To Do Now?
Start preparing now and read our FAQs or watch our film on YouTube for further information and advice. If you don’t have a plan in place already, get started immediately, but make sure your plan is achievable in the short time you have left.