4 Sept 2017: Impending General Data Protection Regulation
The General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years.
In April 2016, The European Commission ratified The General Data Protection Regulation (GDPR), which covers the capture, control, and consent to use personal information. GDPR broadens the scope of personal privacy laws to protect the data rights of E.U. citizens and reflect the changes in technology and the ways in which organisations collect and hold information about people. Under GDPR:
- Individuals will have greater control over who has their data, and how it is used
- Organisations will need to report on data certain breaches within 72 hours of becoming aware of the breach.
- Organisations will be bound by more stringent rules for obtaining consent from individuals on how their data can be used where consent is required.
With the onset of GDPR, it’s clear that the responsibility of protecting the personal data of customers and prospects falls on the shoulders of your organisation. The definition of personal data is more detailed and makes it clear that information such as an online identifier – for example, an IP address can be personal data. GDPR applies to personal data that resides anywhere within an organisation. Its impact will be felt by every area of the business.
Today, this is an EU regulation. But think about your clients. Do they include EU citizens? GDPR applies to any company, inside or outside the EU, that offers goods and services to European citizens.
If you currently have to comply with the DPA you will need to comply with GDPR.
GDPR isn’t something organisations can take lightly. Organisations must be 100% compliant from day one. Regulators will issue significant fines for GDPR non-compliance: up to 2-4% of global revenue for non-compliance.
A single violation could potentially put your company or that of your clients, out of business. And depending on the infringement, the reputational damage from non-compliance may be long lasting, or even insurmountable. A simple ‘we’re sorry’ will not suffice.
GDPR takes effect from 25th May 2018 and Britain’s decision to leave the EU will not affect commencement of GDPR.
Protecting and securing data is not about creating a veil of secrecy. It’s about breaking down silos. It’s about control. It’s about being transparent about what you do with personal data and who you share it with. The first step is understanding what personal data you actually hold, after all, you can’t protect what you don’t knowTo ensure GDPR compliance, you must be able to answer the following critical questions and show proof of your answers:
- What data do I hold?
- Where is my data?
- Who is responsible for that data?
- What types of information do you hold that could identify an individual?
- Where is it located?
- What level of security is in place?
- Who has access? (do they need access?)• How will the data be used?
- Do you need consent to use that data?
The ability to report on data is incredibly important when it comes to breach notifications. Under the regulation, companies must report certain data breaches no later than 72 hours after they become aware of it. Breaches need to be notified where the breach is likely to result in a risk to the rights and freedoms of individuals and if unaddressed is likely to have a significant detrimental effect on individuals – for example, result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.
GDPR further complicates data protection by establishing far-reaching rules for how data is managed, processed, and deleted. It’s no longer just about finding data and making sure it’s secure. It’s about capturing the context of data and being able to prove everything is being done to protect the subject’s data and the rights of the data subject.
Data governance provides the path you need.
Data governance can serve as the underpinning of GDPR compliance. It provides a framework for managing and defining enterprise-wide policies, business rules, and data assets to provide the necessary level of data protection and quality. Data governance gives your data context. It provides the answers that you need to begin addressing the complex issues surrounding GDPR compliance. If you can find the data and understand it, you can report on it. And that allows you to provide the evidence regulators require and helps to make your organization GDPR-ready.
Responsibility Data Protection must become a board-level discussion. One of the biggest changes under GDPR is Accountability. Some companies may be required to appoint a Data Protection Officer. Even if you are not required to, you may feel it appropriated.
Action : Start the discussion on GDPR today, if necessary form a committee.Review the ICO website which contains a lot of helpful information and guidance https://ico.org.uk/for-organisations/data-protection-reform/ COBRA Network Members can look out for our upcoming workshops, available to all members, or speak with your Compliance contact to gain a better understanding of your responsibilities.
Our Compliance team at COBRA Network is looking to provide support and templates to members to help them understand GDPR