The GDPR – Forget Everything You Knew About Data Protection

Connecting the Dots

The GDPR – Forget Everything You Knew About Data Protection

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on skype
Skype
Share on whatsapp
WhatsApp
Share on email
Email
The new General Data Protection Regulation (AKA GDPR) is not another directive; in May 2018 it is set to become an enforceable law that will change the world of data protection as we know it.

How it all began

On April 2016, the EU parliament approved the new regulation, replacing the current directive, according to which businesses have been operating for the past 20 years. 

Organisations that work with or process EU residents` data were given a two-year transition period to plan for and implement the necessary changes to their daily processes and policies. This two years period is about to end.

The Regulation: Different types of entities

First, it is important to understand the two types of entities to which the regulation refers:

“Data controller” – a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be processed.

“Data processor” – any person (other than an employee of the data controller) who processes the data on behalf of the data controller. 

The Major Differences

Although the new regulation maintains key principles of the previous directive, it includes various changes. Here are some of the major ones:

1.     Business location – The regulation has extra-territorial applicability, meaning that whether your company is controlling the data or just processing it, if that personal data is of subjects residing in the European Union, this regulation applies to you. 

2.     Heavy Penalties – Don’t say you didn’t know! Organisations found not compliant with the new regulation will be heavily fined with up to 4% of annual global turnover or €20 Million (the greater of the two).

3.     Request for consent – Want to use personal data for business purposes? You will now need to obtain explicit consent from the user prior to using the information. This will be done by presenting the user with an easily understood terms and conditions form, which will also contain the purpose for which the data is processed.  

4.     Breach Notification – Have been breached? If that breach puts the personal data you are controlling or processing at risk, you may be obligated to report it within 72 hours. Exposure of this kind of information could not only cause financial damage, but also leave a significant stain on the company’s reputation. 

5.     Transparency – Data subjects will be able to obtain, from the data controller, a confirmation as to whether information concerning them is being processed by the controller, in what form and for what purposes. The data controller shall provide the subject with a copy of the personal data being held free of charge. 

6.     Right to be forgotten – In the case that the data subject withdrew its consent or that the processing of the data is no longer relevant to the original purpose, data subjects will have the right to ask the data controller to completely erase their information, stop processing and disseminating it. 

7.     Data Portability – Data subjects will have the right to receive the personal data form previously provided to a data controller, in order to transmit it to another controller.

8.     Privacy by design – This will no longer be considered an addition to a product, rather a legal requirement that must be included from the beginning of the product design. 

9.     Data Protection Officers (DPOs) – Certain organisations will be obligated to appoint a Data Protection Officer, who will be responsible for overseeing the organisation`s data protection strategy and implementation, and to ensure compliance with the new regulation. 

It is important to note that the regulation does not specify a framework for adherence, but puts the responsibility on organizations to maintain best practices for data security.  That means each organization has its unique needs and adaptation when it comes to the GDPR. 

GDPR and BREXIT

UK Businesses might ask themselves whether they should prepare for the new regulation. As they are due to leave the European Union following Brexit, will it apply to them?  

The answer, in short is YES. Here’s why: 

1.     The UK is scheduled to leave the EU on March 2019, meaning it will still be part of the EU when the regulation is due to come into force (May 2018). 

2.     Since the regulation applies to any organisation that works with or processes EU residents’ data, most UK businesses will still have to comply with the regulation, regardless of Brexit.  

3.     This August, the British government published its statement regarding the country`s data protection bill. Much of the bill aims to implement the GDPR, meaning that either way, UK businesses will need to be compliant.

Final note
So, there you have it. If you’re in the world of data protection and working with the data of any EU individuals, you better start thinking fast. You have until May 2018 to plan and implement a system that’s compliant. It’s no longer an option, it’s now the law. 

The GDPR – 5 steps to start from

Connecting the Dots

The GDPR – 5 steps to start from

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on skype
Skype
Share on whatsapp
WhatsApp
Share on email
Email
You know you need to make changes to your data protection processes. You've read, learnt and accepted your fate. You've even negotiated a budget and resources. So, what now? And how will you get it all done for May 2018 when the regulation becomes law?

If you too are feeling a little overwhelmed, we've prepared five simple steps to get you started:

 
Increase Awareness

When it comes to data, privacy and cyber security, your employees are the first line of defence. Make sure all of your employees are well aware of the new regulation and its key principles, as well as the threats the company is facing. 

This includes tailored training for all employees, from security and management teams through your administrative department. One great solution would be to implement an Anti-Email Phishing program that uses an interactive approach and simulating real-world email phishing attacks to help prepare employees for the real thing.  

Data Mapping

Ask the following questions to map the information your company holds:

What data do we have?
Where is it held?
Who has access to it?
Are there any 3rd parties with access to this information? This task can be incredibly tedious and often error prone. There are many tools on the market to help you out with this task.  

Remember – As of May 2018, knowing what data you have will not only be a convenience, but rather your legal obligation. 

 

Map the Data’s Journey

From the moment it arrives with the company until it is processed and saved, either by you (as a ‘data controller’) or by your ‘data processor’.  Distinguish between the different types of information:

1.     Information about your company – this might include information about your products, research and development, business practices and processes, employees, and the state of your finances

2.     External information – customers’ information that is being controlled and processed. For the purpose of GDPR, you need to have a complete view of the ‘data journey’ – where it is stored, how it is processed, through which 3rd party companies has it passed, etc. 

Data Protection Impact

Assessment (DPIA) or a Gap Analysis 

This is an assessment of your organisation’s current security level as well as its level of compliance with the regulation. This will help you identify and prioritise the key areas your organisation must address ahead of May 2018.  

Remediation Plan

according to the results of the gap analysis, initiate a remediation plan with clear, prioritised tasks. This may include the implementation of various cyber security products, training programmes, subscription to threat intelligence feeds, conducting a risk assessment to your data processors, establishing an incident response plan and much more.

Final note

We recognize that preparing your organization to comply with the GDPR is no small feat. The above five items are a solid start, but you should also consider using the services of a single service provider to manage the entire operation from start to finish – from data mapping to the implementation of the remediation plan. In the case that you do choose to work with a service provider, be sure they have a deep familiarity with the regulation, turn-key capabilities and connections to the latest cutting-edge cyber technologies.


Good luck! 

Get in touch with us today, we’d love to hear from you!