The General Data Protection Regulation (GDPR), has been making headlines for some time and it’s likely that you’ll have heard of it. However, recent surveys have shown a lack of understanding by organisations across Europe and worldwide and with Brexit underway some UK organisations have wrongly stopped preparing for it.
So, what is GDPR?
The General Data Protection Regulation, is a piece of legislation that was approved and put in place by the European Parliament in April 2016. As European Law, it will fully take effect after a 2-year transition ending May 25th, 2018.
GDPR replaces the previous Data Protection Directive (DPD), adopted in 1995, and will in the UK strengthen the Data Protection Act (DPA). One of the initial differences between GDPR and DPD is that GDPR is a regulation, not a directive; as a regulation, no additional enabling legislation will have to be passed by governments of member states.
In compliance with GDPR, organisations must ensure measures have been taken to minimalise risk and the chance of data breach. These processes and policies will also ensure organisations are accountable and can be governed; part of the ICO guidelines on GDPR reads, organisations must “implement appropriate technical and organisational measures that ensure and demonstrate compliance”.
Although member states will not have to enable their own legislation, they are free to add further regulations around what GDPR sets out. Each member state will be enforced by the relevant supervisory authority, for example, the Information Commissioners Office in the UK and The Federal Commission for Data Protection and Information Freedom in Germany.
Key definitions under GDPR:
- Data subject – An individual who is the subject of personal data.
- Data processor – Any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
- Data controller – A person who (either alone or jointly or in common with other persons) determines the purpose for which and the manner in which any personal data are, or are to be, processed.
- Personal data – Any information related to a data subject that can be used directly or indirectly to identify that person*.
- Data breach – A data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
*Under GDPR this now covers information including an IP address.
How will GDPR affect my organisation?
The General Data Protection Regulation, has by some, been labelled the “Global Data Protection Regulation”, this is because under new definitions it will be applicable for all organisations within the EU but more importantly too, organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects.
One of the initial drivers for implementing the new legislation was to modernise data protection laws and to ensure all organisations have a “level playing field” when it comes to data protection.
The penalties for non-compliance are also significant. Under previous UK law, DPA as enforced by the ICO, an organisation could be served a monetary penalty of up to £500,000 for a serious data breach. Under GDPR an organisation can be fined €10million or 2% of global revenue for failing to alert the necessary regulatory authority of a data breach within 72 hours. For a data breach itself, under GDPR, this rises to €20million or 4% of global revenue, whichever figure is higher.
The right to erasure
This is also known as the right to be forgotten. This principle, under GDPR, gives individuals the right to request that their personal data be deleted or removed in a case where there is no compelling reason for its continued processing. In line with other factors of GDPR, this must be trackable and the processes around deletion of personal data must be documented.
How can I be compliant?
Some organisations will be required to appoint a Data Protection Officer (DPO) in the case where they are a public authority, an organisation that engages in large-scale systematic monitoring or an organisation that engages in large-scale processing of personal data.
Internal records of processing activities must be kept, these include retention schedules, the purpose of processing data and a description of technical and organisational security measures.
Organisations will have to be able to track an individual's personal data, assuming this data can identify the individual (directly or indirectly), and have processes in place to be able to remove this data should the data subject request this. Internally organisations must implement “appropriate” technical and organisational measures to secure personal data and reduce the risk of a data breach. Organisations should consider as appropriate “the pseudonymization and encryption of personal data”.
Managing and Protecting Data
The General Data Protection Regulation aims to give more protection of personal data for individuals as well as businesses and although there are heightened regulations around control, this is far from the only area covered by GDPR.
All aspects of the DPA are still included in GDPR and protecting against Data Loss is still a priority. The ability to protect and recover data has never been more important.
Working with trusted vendors and suppliers bears extra responsibility on both organisations as GDPR makes both data processors and data controllers liable. Redstor have been a trusted technology partner for thousands of organisations globally, for almost 20 years. By working directly with our community of users to develop and grow our technology offering, we have built a secure data-first backup and recovery platform.