GDPR, the new EU General Data Protection Regulation, entered into force in May 2016 and will come into full effect in May 2018. GDPR aims at increasing the protection of EU citizens’ personal data integrity and brings with it new requirements on organizations. Is your organization prepared for this – or do you face the risk of potential financial penalties?
The need for an updated legislation is related to the rapid development that has taken place over the last 20 years. The way we use technology, with Internet and social media, has dramatically increased our exposure as individuals. Other technological advances, with big data analysis capabilities, cloud service providers, etc., have changed the way organizations collect and process data about individuals as part of their business. An important reason for the reform is expressed in the European Commission’s fact sheet: “to strengthen citizens’ fundamental rights in the digital age and facilitate business by simplifying rules for companies in the Digital Single Market”.
The new regulation is a very extensive document with many requirements affecting organizations. Each organization has to review what it means to their business, and what action they need to take. The list below summarizes some of the most important requirements and changes that organizations need to be aware of.
- Harmonization – the previous directive on data protection was just a directive. This means that each country has made their own interpretations and set up their own national laws based on the directive. It also means that a company that wants to do business in several European countries needs to adhere to different national laws for data protection and report to national data protection authorities. The new regulation is different, in that it immediately is enforceable as law in all member states.
- Geographical reach – organizations based outside of the EU are also subject to the regulation, if they offer goods or services to EU citizens or process personal data related to the monitoring of the persons’ behavior.
- Data portability – individuals have the right to request that personal data they have provided to a controller can be given to them in structured, commonly used, machine-readable and interoperable format. This would allow the individual to transfer their data to another controller.
- Right to be forgotten – if the purpose of the processing of an individual’s data ceases, or a previously given consent is withdrawn, are two examples of situations where an individual has the right to request that his data is erased and no longer processed by the controller.
- Data security – article 25 talks about data protection by design and by default. The controller must implement appropriate technical and organizational measures to ensure the data is managed and processed securely.
- Breach notification – if a data breach occurs, the data controller is obliged to report it to the supervisory authority without undue delay, not later than 72 hours. The controller must also notify the data subject without undue delay, so that the individual can take the necessary precautions.
- Consequences of non-compliance – the previous national laws have differed, but have typically been weak in terms of actual consequences for organizations that do not comply with the law. This changes now. Depending on the circumstances and the degree of non-compliance, administrative fines up to 20 MEUR or 4% of the worldwide annual turnover (whichever is higher) can be imposed.
Do you know how your organization is exposed and what you need to do?
SecureLink works with customers to help identify the scope, their starting point, and recommended actions to work towards compliance. Some examples include:
- GDPR readiness assessment – identify the current status in terms of organizational awareness, process maturity and technical maturity. Get insight into recommended actions for your compliance work.
- Data inventory – work with top-down and bottom-up approaches to identify the scope of personal data within your organization. Understand what type of data and where it resides, in order to determine proper actions to protect it.
- GDPR risk assessment and action plan – based on the data inventory and readiness status, we help you define an action plan suitable for your risk appetite.
- Technical controls and security processes – there are several solutions available that may be important elements in a data protection strategy, including
- Data loss prevention
- Database security
- Cloud security
- SIEM/log management
- Privileged account security
- Data breach detection and reporting
How can we help?
Contact us today to for a discussion about what your organization needs to do to get ready for GDPR, and how SecureLink can guide you through the process.