For the past few years a regulation has been plaguing the minds of businesses everywhere – EU GDPR (the European Union’s general data protection regulation). Now almost three years later we know what the regulation will be and when it will come into effect (May 2018). But still many business heads are left wondering what it really means and how will it affect them and their business, writes Nathaniel Wallis, Security Account Manager at technology firm Axial Systems.
Let’s take a look at GDPR and some of the myths that surround it.
Many UK firms are still trying to figure out how the shock result in 2016 to leave the European Union will affect them. But one that is clear is that regardless of where you stood on the result or where your business is based if you want to trade with the EU you will have to meet their regulations. This includes the EU GDPR. So anybody who thought they were going to get away with not having to follow the GDPR, are now having to wake up to the fact that they will need to still prepare for its imminent arrival. This means that if you have been putting off preparations to see the result all you have done is given yourself an even shorter time scale to be prepared.
Within the regulation it provides that each institution or body must appoint at least one person as a Data Protection Officer (“DPO”) to enforce the regulations internally. This means that any organization that meet the requirements of performing Regular and systematic monitoring of data subjects on a large scale or processing Sensitive Personal Data on a large scale will need to have a person or persons to fill this role. The above statements cover either internal staff or external customers/vendors meaning that almost every medium to large enterprise will need to have this role filled.
3. Accountability and Privacy by Design
The GDPR places accountability obligations on data controllers to demonstrate compliance. This includes requiring them to: (A) maintain certain documentation, (B) conduct a data protection impact assessment for riskier processing (DPOs should compile lists of what is caught), and (C) implement data protection by design and by default. This places all of the pressure on organizations to ensure that all future processes are designed with the above in mind. But what about existing processes? What of all the current data stores that an organization has? These will all have to be evaluated and the new regulations applied to their functions and processes.
4. 72 Hours
Business must notify most data breaches to the Data Protection Act. This must be done without undue delay within 72 hours of awareness. In some cases, the data controller must also notify the affected data subjects without undue delay. Additionally, the UK ICO, for example, already expects to be informed about all “serious” breaches. Research has shown that most organizations have no formal incident response plan and as such would be unable to meet the 72 hour requirement due to being ill prepared for a breach. This under the GDPR is not a valid reason to miss the required timeline.
All of the above are areas that if not met, and in the event of a data breach, will result in heavy fines. A two-tiered approach will apply. Breaches of some provisions by businesses, which law makers have deemed to be most important for data protection, could lead to fines of up to 20 million euros or 4pc of global annual turnover for the preceding financial year, whichever is the greater, being levied by data watchdogs. For other breaches, the authorities could impose fines on companies of up to 10m euros or 2pc of global annual turnover, whichever is greater. This will result in many businesses being forced out of business as a result.