Changing face of Compliance and data protection
The GDPR first published in January 2012, following four years of European collaboration, discussions and negotiations has now been agreed. The regulation of over 200 pages incorporates significant changes and models overhauling Europe’s Data Protection law.
The new Regulation – the General Data Protection Regulation (GDPR) will supersede the existing 1995 Directive. Moreover, it is a now a regulation which means that it will apply instantly to all EU Member States without the prerequisite for implementing a national legislation.
The laws that have been in place since 1995 have allowed for each EU country to implement the laws as they have felt fit. This has resulted in inconsistency in data security across the EU. The new regulation will seek to stop the divergence and reinforce confidence in online security for organisations, their customers and clients, and citizens.
The existing derivative of 1995 does not account for the incredibly fast changes that have occurred and are occurring within the internet realm. They are based on activity up to 1995 but naturally much has changed since then. The adapted and revised laws are long outstanding and are needed to accommodate the online services and challenges of today; they need to cover data protection in areas that were non-existent in 1995.
If one looks at the purposes that the internet is used for today - from social networking to cloud computing - personal and corporate data is at risk. Everyone has the right to the protection of their personal data, thus rules need to be reviewed, adapted and new ones added where necessary to ensure that everyone is getting the data protection that they are entitled to especially in today’s internet age where so much personal data is processed, transferred and stored online.
The regulation signals a breakthrough in data protection laws in the EU; aiming to provide congruence for data protection throughout. A common law in all EU countries is to support the secure liberal movement of data across EU boundaries.
Although the new regulation is a European regulation, it encompasses organisations beyond the EU as well. The GDPR includes changes what will affect all organisations that process personal data of European citizens whether or not based in the EU. That being said, the regulation will have global impact and all organisations should review their processes, policies, data handling and technologies to ensure that they are compliant. Fines for non-compliance will be substantial and will exceed 4% of annual global turnover resulting in penalties that will be significantly higher than before.
Significant Areas GDPR Impacts
The changes that are highlighted as most noteworthy range from the heavy fines to requirements regarding reporting a data breach within 72 hours. Many breaches are occurring unnoticed at the moment but with the enforcement for reporting of such breaches, organisations will be scrutinised - making unacceptable data handling and security lead to pronounced repercussions with impacts to both finance and reputation.
Noteworthy areas include:
- Increased territorial reach, although this is an EU regulation it will have global impact
The regulation expands its reach to include any organisation both inside and outside the EU provided that data relating to an EU subject is concerned. This could include providing of services, goods as well as monitoring. Any organisation outside of the EU that targets an EU subject must also comply with the regulation.
- Clarity on what defines personal data
The term personal data has been clarified. This is to ensure that there is no misinterpretation of what defines personal data - furthermore so that the definition is coherent throughout all EU and non-EU countries processing data belonging to EU individuals.
- Consent for data use
Consent to process a data subject’s personal data must be given by the data subject freely. The consent must be specific, informed and unambiguous.
- Accountability and privacy by design
GDPR ensures responsibility is taken by the data controller (organisation) to display compliance, including the upkeep of documentation, the provisioning of data protection impact assessments and warranting that data protection is executed by default and design.
- Mandatory data breach notifications
Data breaches must be reported to the local regulator within 72hrs of knowledge of the breach. The organisation will need to inform the regulator of the technical safeguards that they had in place and the circumstances surrounding the breach. Data subjects must also be notified of the breach.
- Larger penalties for non-compliance
Fines for non-compliance can be up to 4% of annual global turnover. Fines associated with the new regulation have escalated greatly. The penalty will depend on the amount of data lost.
- Role of data processes and data controllers explained
Data processes under the new GDPR have direct obligations to ensure data is properly secured, breaches are reported and security measures are in place. Both data processes (provider or someone processing data on behalf of the organisation) and data controllers (organisation gathering data) are equally liable for the security of the data and the loss of any data that they process.
- Clarification on transfer of data outside of the EU
Data subjects must be informed of the risk associated with transferring their data outside the EU. The new regulation explains the data that may be transferred using standard data protection clauses.
- The right to be forgotten and the right to access their data
Individuals can demand to access data that belongs to them - they also have the right to have their data erased under certain circumstances.
- Pseudonomysation and encryption of data are encouraged
The law specifically encourages data controllers and processors to implement encryption technologies to secure data.
Preparing for the EU General Data Protection Regulation (GDPR)
The GDPR provides specific suggestions for appropriate security actions which must be addressed by organisations, they include:
- The pseudonymisation and encryption of personal data.
- The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
- The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident (72-hour obligatory period for notification).
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
8 Recommendations to assist with preparations
- It is vital to ascertain whether the GDPR applies to you, the likelihood is that it does. Everyone within the EU as well as outside of the EU that processes or handles data of an EU citizen must comply.
- Work out where you are not compliant and begin to make the necessary changes.
- Assess areas of risk to uncover where personal data could be at risk so that changes can be made and policies can be put in place where needed.
- Put clear security policies and procedures in place for appropriate response to a breach and timely notification.
- Incorporate privacy by design and implement a privacy management strategy so that security policies can be continually governed and maintained.
- Securing the physical premises and environment is still essential. Access to facilities where data is stored must be controlled and monitored.
- Secure your data and control access to your data! This needs to be achieved in a way that managers the data and flow of data across multiple processes and locations. Access to data must be strictly limited.
- Have a policy in place if an information breach were to occur. This way the breach can be dealt with appropriately and smoothly. Be sure that your response to a breach complies with the regulation.
Preparedness is key
Organisations must start the necessary preparations now to avoid running the risk of non-compliance in May 2018 (when the regulation becomes enforced). It is important that the groundwork is undertaken at once. With so many arduous requirements to fulfil, it is necessary to take immediate action to reach compliance with the new and compulsory data protection regulation. It will take time to integrate so don’t be lulled into a false sense of security because the enforcement of the regulation is not immediate.
Presently, a multitude of organisations are re-assessing their security positions and examining their practices so that forthcoming compliance can be assured by the enforcement date.
The revised regulation should strengthen data security and the privacy rights of individuals which will culminate in increased customer confidence in data security. The improved transparency, control and management of personal data will ensure only the necessary data is processed and stored and ensure data is kept secure and that its location is always known. Such regulations are of no use if they are not enforced. With significant monetary penalties for non-compliance set, enforcement of the regulation will be a priority.
It is most important to ensure that your company conforms to the regulation. Making sure you are aware of the laws and are up to date with the changes. At the end of the day you will be held accountable for any security breech that occurs and will have to deal with the consequences.
The law emphasises that data handling and potential data loss is a major issue of business and must be taken seriously at all levels and by all organisations.