What is GDPR?
General Data protection regulation will become enforceable from May 25th, 2018. Failure to comply can result in fines up to 4% of an organisation’s world-wide turnover or Euros 20M whichever is the highest. GDPR will be ‘policed’ by a government regulator, in the UK’s case the Information commissioner’s office (ICO).
It enhances Data protection regulations in the new Data protection Bill published in September 2017 which replaces the Data Protection Act of 1998. Effectively this all updates/replaces legislation which is already 20 years old and could not have taken account of our increasingly interconnected world of today (e.g. social media).
What organisations are subject to the new regulation?
Any organisation that sells goods and services in the EU (whether or not they are based within the EU) and holds and/or processes personal data, or data that could lead to the identification of an individual. Typically, this could include Name, E mail address, IP address, Bank details, birth date etc.
How is it different to existing legislation?
Penalties for non-compliance (see above, much higher than under previous legislation).
Data Retention. Personal data should only be kept for as long as necessary then it must be anonymised or securely destroyed.
Right to be forgotten. Individuals can request their data is deleted, equally they can request for a copy be sent to a third party. There are exceptions, for example national security.
Mandatory Breach notification. Breaches of personal data MUST be reported to the supervisory authorities within 72 hours and possibly the affected data subjects as soon as possible thereafter.
Built in Data protection. There is an assumption that this principle will be applied to all future business processes and systems.
What does an organisation need to do?
There are two aspects to making sure an organisation is compliant.
The first relates to your normal business processes around handling personal data. For example, are your staff aware of their obligations regarding confidentiality of personal data you either store and or process?
The second aspect relates to being aware of all the digital information which an organisation holds on an individual. Does an organisation know where the data is held, how many potential copies there are in existence, how this data is used and secured, is it shared with other organisations and so on?
Being GDPR compliant requires an organisation to have the right business processes in place, it requires more focus on this than before the advent of GDPR and much of which is common sense, but the penalties for not getting this right are much more onerous now. However, organisations will need more detailed knowledge on all the digital information relating to personal data they hold and to accomplish that, will require agile, easy to use software that can ‘inventorise’ their data assets.
Who will be responsible?
Be under no illusion responsibility for GDPR compliance rests with the Board of an organisation, it is NOT an IT problem although a significant part of the solution will be software related. Within an organisation, at a lower level there will have to be a responsible individual, they could be called Head of Compliance or maybe Data Protection Officer and their job will be to make sure the organisation is aware of what needs to be done for compliance purposes, but they will not necessarily be the implementers of the processes, so it’s NOT going to be just down to them. It is possible that this function could be outsourced to a responsible 3rd party. However, this is one responsibility that goes all the way to the top of an organisation.