What is the General Data Protection Regulation?
The General Data Protection Regulation (GDPR) is the most comprehensive overhaul of European data protection rules in more than twenty years. Its purpose is to replace the varying implementations across Europe of the earlier European Union Data Protection Directive with a single, harmonized EU regulation. The intended outcome is a standardized set of expectations for an organization’s management and protection of personally identifiable information (PII) on employees, clients and other applicable data subjects.
Why it matters
As of the 25th May, 2018 deadline, organizations globally that process EU citizen data need to ensure they are taking steps to ensure they are ready to fulfill new data protection requirements.
Three Pillars of GDPR
A new transparency framework
While the data protection law already obliges organizations to be transparent about the purposes for which they process data, GDPR compliance extends the obligation of transparency much further.
- Organizations need to be much clearer about personal data use.
- Consent rules are toughened up.
- Stronger Data Subject Access rights.
- Mandatory breach disclosure and breach notification reporting within 72 hours of detection.
Read More Here
A new ‘Compliance Journey’
The GDPR changes the historic understanding of what data privacy and data security compliance mean. No longer is it purely a checklist ticking exercise or end-goal, and it will impact and drive new data management and process requirements.
- Privacy by Design & Default.
- Data Protection Impact Assessments.
- Accountability (document data use).
- Data Portability & Right to be Forgotten.
- Enhanced rights of inspection and audit for the supervisory authority.
Read More Here
A new Punishment Regime
The GDPR introduces much more robust enforcement powers for regulators. Supervisory authorities will also have increased corrective and investigative powers.
- Tougher enforcement powers for regulator.
- Financial penalties of 4% global turnover.
- Suspension or termination of the right or ability to process data.
- Ability to demand the erasure of data.
Read More Here
The GDPR is the most comprehensive overhaul of data protection rules in over twenty years. As we edge nearer to the enforcement date, the hype and urgency increases and it is no surprise that misconceptions about the regulation abound.
- It’s not about where your organization is domiciled or headquartered. If you have subsidiaries or customers in the EU, work with EU vendors, or process EU citizen data, you’re in scope.
- It’s not an isolated department’s responsibility. A GDPR Program is a cross-functional effort. Legal deals with the processing elements, IT with implementing technical controls and security with protection of the data, including detecting and responding to any threats to that data.
- It’s not a one-time fix. Once May 25th, 2018 has passed, the work to fulfill the requirements isn’t complete. Any single change you make going forward that impacts personal data, must be assessed to ensure that it doesn’t move you into non-compliance.
- There is no one-size fits all program of remediation work, solution or technology. GDPR is a risk-based, business driven framework, built around your own individual organizational operations and your own risk profile and that of your data subjects.
- There is no GDPR certification, it’s about due diligence and taking appropriate action to protect personal data.
GDPR provides a comprehensive data protection regime, of which data security is one part. Privacy and data protection issues have far-reaching implications for many aspects of business operations and GDPR is likely to require significant changes across many parts of the organization.
With the right approach and help, organizations can use the requirements laid down by GDPR that affect information security to promote privacy, security, and business enablement.
When it comes to reporting an incident, new guidance from the Article 29 Data Protection Working Party on GDPR breach notifications encourages organizations to include notification to the supervisory authority as a key step in their incident response plan. It also outlines practical steps that every organization can implement. In this blog, our risk management and information security experts outline some good security practices to consider.
|PRINCIPLE 1||Fair, lawful and transparent processing of personal data|
|PRINCIPLE 2||Specified, explicit, and legitimate purposes for the collection and processing of personal data|
|PRINCIPLE 3||Personal data that is adequate, relevant, and limited to what is necessary in relation to the purposes of the processing|
|PRINCIPLE 4||Personal data is accurate and kept up to date|
|PRINCIPLE 5||Personal data is kept only as long as necessary|
|PRINCIPLE 6||Personal data is processed in an appropriate manner to maintain security of the data|