In May 2018, the General Data Protection Regulation (GDPR), needs to be fully implemented by organizations that handle private European data.
GDPR is a new piece of legislation introduced to make data protection requirements constant across the European Union. Because it applies to European citizens, any company that handles data of a European person needs to follow GDPR legislation – regardless of where in the world they are located.
The regulation is designed to simplify the regulatory environment for international business by unifying data protection law within the EU and replacing the Data Protection of 1995. It is intended to strengthen and unify data protection for all individuals within the EU and addresses the export of personal data outside the EU.
In short, the regulation gives European citizens more control of their personal data, while also streamlining the processes behind the data management. Under the new rules, individuals have “the right to be forgotten”, meaning they will be able to request businesses to delete their no longer necessary or accurate personal data. Take a closer look to the most important principles of GDPR:
- use personal data fairly, lawfully and in a transparent way
- specify the purposes for which you use the data, and not reuse it for any other incompatible purposes
- make sure that the data is adequate, relevant and no more than what’s necessary
- take steps to ensure that the data is accurate and up to date
- keep the data for no longer than you need it
- keep the data secure against loss, damage or unauthorized use
- be able to demonstrate how you comply with the other principles
These principles are the core of the Regulation, but it’s important to consider other areas, including: consent and documentation of consent, lawful processing, controller/processor contracts, the data protection officer (DPO), accountability and the board, and how to respond to data breaches. If in the past, your organization has foregone security processes due to lack of budget or manpower, increased administrative overhead, or the like, you may have been able to get away with it. Not anymore – it’s not worth the risk.
Penalties for data breaches or non-compliance means a fine of whichever is greater:
- Up to 4% of annual revenue
- Up to €20m
The GDPR is making security an absolute requirement for organizations handling EU data, large and small, revolving around the concepts of preventing, assessing, and monitoring. In order to discover any weak points in how data is processed or handled, the GDPR mandates that organizations assess their current systems and processes for how they currently handle data and perform a gap analysis to find what works and what needs to be changed or removed.
There needs to be Privacy/Security by Design and by default to ensure data is secured from the inception of the application or system. This concept describes the idea that security and privacy need to be considered during the planning phases, as opposed to during development (or even later in the SDLC).
Further Resources about the GDPR:
Official website of the General Data Protection Regulation, with the full text of the regulation and further resources.
*This website contains general information about privacy and data protection based generally on data protection law, regulations, codes of conduct etc. However, it is not intended to provide a comprehensive or detailed statement of the law and does not constitute legal or professional advice.
We will use reasonable endeavours to ensure that any information contained on the website is correct. We may suspend or withdraw or restrict the availability of all or any part of our site for business and operational reasons.