In May 2016 the biggest shake up of data protection in its history was ratified in the form of the EU General Data Protection Regulation (GDPR).

The GDPR is designed to support the needs of a digital world that is evolving at an unprecedented, exponential rate where your personal details can be in 100 places within seconds, information is shared like never before.

The GDPR really puts the data subject in the driving seat and the burden of duty on the data holder.  We’ve been given 2 years’ grace period before it becomes enforceable, but what are these changes and what do they mean for you?

What is GDPR?

The General Data Protection Regulation is a new law which mandates businesses, who deal with Personal Identifiable Information (PII) of EU citizens, to implement strong data protection policies to guard such data.  This will give the customer more control over their information, where it’s going, who has it and what it’s used for.

Does it affect me?

The short answer is Yes!  Stakeholders within your organisation from Chief Executives, Vice Presidents and compliance/legal divisions should be especially interested.   These roles have corporate responsibility to ensure the company is meeting regulatory requirements.  Data Protection Officers are responsible for developing the right strategy that will ensure the success of their business.  The Board of Directors will be asking you questions if they’re told to write a cheque with several zeros on the end.  Stakeholders need to see GDPR as a mechanism to make their organisations better and more secure having a positive social impact rather than negative chores to comply with yet another set of rules.

The Highlights

We’ll delve into these in more detail in future posts, but here are the noteworthy points:

  • Breach notification to data subjects
  • Breach notification to regulatory bodies within 72 hours
  • Data processing security
  • Data Protection Impact Assesment
  • Data security by design and by default

The Impact

The most obvious answer here is the eye watering financial penalties that the GDPR gives the regulatory body the power to impose.  Maximum of 20M Euro OR 4% of global turnover, whichever is the GREATER. Aside from the financial penalties, you will suffer loss of reputation, custom, staff morale levels and a tidal wave of trust issues associated with your brand.

5 Immediate GDPR Preparation Steps!

  1. Start your preparation plan now!
  2. Encrypt your data
  3. Perform an inventory of data, security and compliance policies and procesdures
  4. Staff awareness training and management buy in to the changes
  5. Have a data breach incident response plan

In only 14 months, the enforcement date will be upon us.  That’s not much time to effect change.  Two of the major mitigating reasons provisioned in the regulation are pseudonymization and encryption.  Both are very powerful, not only in ensuring your organisation’s legal compliance but also in protecting it.  In this blog series we’ll examine both in much more detail.

 

Richard Hancock is a guest contributor and is Data Protection Officer for GMO GlobalSign, a leading Certificate Authority and encryption solution provider. 

Read a brief intro how Ubisecure can help your company towards GDPR compliance, or check out the first of our configuration tips. Or contact us now to discuss your GDPR project and how building in consent management can help.