This is a blog piece for the company blog site around the new General Data Protection Regulation: http://blogs.mti.com/blog/general-data-protection-regulation-what-you-need-to-know
Signed into law in May 2016, the European Union’s General Data Protection Regulation (GDPR) act will force change in the way businesses approach data protection when it is enforced in two years’ time.
The scope of the act, which replaces the EU Data Protection Directive, will increase significantly as it standardises and unifies data privacy requirements not just across member states, but for any businesses that markets to EU data subjects.
Carrying heavy fines for non-compliance, either €20 million or 4 per cent of global turnover, whichever is greater, the GDPR enacts stricter guidelines for getting consent for data collection, individual profiling and also contains more comprehensive definitions of data.
GDPR also enhances the current legislature around data security and breach notification standards, so it is imperative the compliance teams, CIOs and data protection officers take notice of these changes.
As part of the new rules set by the EU, companies must alert the authorities without undue delay and have up to 72 hours – where feasible – to provide notification of a breach of EU national’s data, or risk a fine for non-compliance.
Currently, UK firms are not under any such requirement to announce a data breach, with many choosing not to as the cost of doing so for a business can be enormous. For example TalkTalk and Carphone Warehouse saw their profits and trust in their brands fall dramatically following public data leaks.
This will be a significant change for many businesses, and will see current systems overhauled in order to ensure breach protocols are compliant with the new legislation. It will also apply to all UK firms trading in Europe, as any company that holds the personal details of an EU ‘data subject’ will have to comply.
The devil is in the detail and the final text of the new directive needs to be closely studied.
The GDPR also separates responsibilities and duties for both data controllers and processors – requiring controllers to only engage processors that provide sufficient guarantees to meet the GDPR’s standards of protecting data subjects’ rights.
Article 32 of the GDPR outlines these responsibilities. While it is similar to the Directive’s Article 17, the GDPR expands this by providing specific suggestions for the type of security activities which might be ‘appropriate to the risk’.
From encryption of data to testing and assessing security systems – everything needs to be compliant with the GDPR’s new code of conduct.
There are just under two years and in turn two budget cycles remaining until the law enforces the act, yet GDPR readiness is not a priority amongst IT professionals in Europe.
There is a lot to assess in that time, especially in terms of the security aspects of GDPR, so now is the time to be getting systems ready for compliance and for implementing new breach notification policies.
This will require working with legal teams and other branches of the business to ensure compliance is watertight to prevent heavy fines for businesses.