The European Union’s General Data Protection Regulation (GDPR) comes into effect on 25 May 2018 now that the new rules have been published.
The European Parliament’s publication of the regulation in the Official Journal of the European Union means it will become law on 25 May 2016, giving organisations 24 months to become compliant.
The GDPR will introduce new accountability obligations, stronger rights and restrictions on international data flows.
Against a backdrop of radical technological advances and the Snowden revelations, the new framework is ambitious, complex and strict. It presents any organisation that has so far failed to begin preparations with a steep challenge to become compliant in time.
“The countdown has begun. Businesses operating in Europe or targeting European customers have two years to get their act together and prepare for the new regime,” said Eduardo Ustaran, European head of privacy and cyber security at law firm Hogan Lovells.
“At stake are not only the consequences of non-compliance, but the ability to take advantage of the opportunities presented by new technologies, data analytics and the immense value of personal information.
“From determining when European law applies to devising a workable co-operation strategy with national regulators, there are many intricate novelties to understand and address,” he said.
To help organisations with the challenge, Hogan Lovells has published a guide entitled Future-proofing Privacy. It has been co-authored by 24 lawyers from 10 European Hogan Lovells offices.
The law firm said the guide is aimed at providing practical pointers to help organisations and individuals understand the new rules, identify how they impact on their own business, and comply with them in a practical and viable manner.
‘Keep calm and carry on’
Christine Andrews, managing director at data governance, audit and consultancy firm DQM GRC, said “keep calm and carry on” seems a ﬁtting theme for the published regulation.
However, she said this is only the case if you’re one of the organisations already valuing customers’ data.
“Unfortunately, for too long, some organisations have presumed consent, worked with implied permission, and experienced data losses that have taken months to detect and report. In some cases, such as TalkTalk, [organisations] have been unable to properly classify what personal data has been compromised.
“No CEO wants to look as ill-informed as poor Dido Harding, and customers have an absolute right to expect better,” she said.
Preparing for legislation
According to Andrews, there are a few steps organisations can take to begin preparing for the new legislation immediately.
“First, organisations need to evaluate the personal data they have; categorising the data so they are clear where the personal and sensitive data resides and where other less important data sits in the company,” she said.
Usually, said Andrews, drafting a data ﬂow map will help businesses to understand the pattern of data through the company, provide clarity on who has “eyes on” the data, what skills these people have and, ﬁnally, highlight where the data ends up.
“Once organisations understand just what personal data they have, they should then ensure that regular risk assessments are completed to understand the degree of threat imposed on the company when processing data.
“Indeed, the GDPR demands a risk-based approach with the development of appropriate controls. This should, in a single stroke, ensure that management recognise the dangers associated with the loss, misuse, theft or any other compromise of customer data,” she said.
For organisations that pass data onto third parties, Andrews said there is often a tendency to presume that they must operate to high standards of data security and protection. However, the GDPR now states that controllers must only engage with processors who can provide “sufficient guarantees”.
“Basically, as the data owner, you must check they have effective “technical and organisational measures to ensure the security of the processing,” she said.
Data breach response plan
The GDPR also introduces the need for organisations to prepare a breach notiﬁcation plan in the event that something does actually go wrong.
“If you’re already clear on what type of personal data you manage (categorisation) and where it is (data ﬂows), then this process will be somewhat easier,” said Andrews.
“However, it’s worth being clear on who will co-ordinate the customer communication, the media response and the remedial activity – and make sure you rehearse this so you are practiced in the actual event. Consider it a data breach fire drill.”
Although organisations have a two-year deadline to become compliment with the new legislation, it is vital to remember that two years can pass quickly, she said. For many organisations, a significant amount of time and financial investment will be required, she added.
Read more about the GDPR
- Companies that fail to start planning to deal with the EU’s data protection requirements are in for a real shock, warns the International Association of Information Technology Asset Managers.
- The GDPR is about enabling organisations to realise the benefits of the digital era, but it is serious about enforcement for those that do not play in the rules, says UK information commissioner.
- The staffing impact of the GDPR will be huge, with 28,000 data protection officers (DPOs) in Europe alone, says the International Association of Privacy Professionals.
- European firms are set to invest in data protection in 2016, with enforcement of the EU General Data Protection Regulation just two years away, Computer Weekly’s IT priorities survey shows.