The General Data Protection Regulation (GDPR), has been making headlines for some time and it’s likely that you’ll have heard of it. However, recent surveys have shown a lack of understanding by organizations across Europe and worldwide and with Brexit underway some UK organizations have wrongly stopped preparing for it.
So, what is GDPR?
The General Data Protection Regulation, is a piece of legislation that was approved and put in place by the European Parliament in April 2016. As European Law, it will fully take effect after a 2-year transition ending May 25th, 2018.
GDPR replaces the previous Data Protection Directive (DPD), adopted in 1995, and will in the UK strengthen the Data Protection Act (DPA). One of the initial differences between GDPR and DPD is that GDPR is a regulation, not a directive; as a regulation, no additional enabling legislation will have to be passed by governments of member states.
In compliance with GDPR, organizations must ensure measures have been taken to minimalize risk and the chance of data breach. These processes and policies will also ensure organizations are accountable and can be governed; part of the ICO guidelines on GDPR reads, organizations must “implement appropriate technical and organizational measures that ensure and demonstrate compliance”.
Although member states will not have to enable their own legislation, they are free to add further regulations around what GDPR sets out. Each member state will be enforced by the relevant supervisory authority, for example, the Information Commissioners Office in the UK and The Federal Commission for Data Protection and Information Freedom in Germany.
Key definitions under GDPR:
- Data subject – An individual who is the subject of personal data.
- Data processor – Any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
- Data controller – A person who (either alone or jointly or in common with other persons) determines the purpose for which and the manner in which any personal data are, or are to be, processed.
- Personal data – Any information related to a data subject that can be used directly or indirectly to identify that person*.
- Data breach – A data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
*Under GDPR this now covers information including an IP address.
How will GDPR affect my organization?
The General Data Protection Regulation, has by some, been labelled the “Global Data Protection Regulation”, this is because under new definitions it will be applicable for all organizations within the EU but more importantly too, organizations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects.
One of the initial drivers for implementing the new legislation was to modernize data protection laws and to ensure all organizations have a “level playing field” when it comes to data protection.
The penalties for non-compliance are also significant. Under previous UK law, DPA as enforced by the ICO, an organization could be served a monetary penalty of up to £500,000 for a serious data breach. Under GDPR an organization can be fined €10million or 2% of global revenue for failing to alert the necessary regulatory authority of a data breach within 72 hours. For a data breach itself, under GDPR, this rises to €20million or 4% of global revenue, whichever figure is higher.
The right to erasure
This is also known as the right to be forgotten. This principle, under GDPR, gives individuals the right to request that their personal data be deleted or removed in a case where there is no compelling reason for its continued processing. In line with other factors of GDPR, this must be trackable and the processes around deletion of personal data must be documented.
How can I be compliant?
Some organizations will be required to appoint a Data Protection Officer (DPO) in the case where they are a public authority, an organization that engages in large-scale systematic monitoring or an organization that engages in large-scale processing of personal data.
Internal records of processing activities must be kept, these include retention schedules, the purpose of processing data and a description of technical and organizational security measures.
Organizations will have to be able to track an individual's personal data, assuming this data can identify the individual (directly or indirectly), and have processes in place to be able to remove this data should the data subject request this. Internally organizations must implement “appropriate” technical and organizational measures to secure personal data and reduce the risk of a data breach. Organizations should consider as appropriate “the pseudonymization and encryption of personal data”.
Managing and Protecting Data
The General Data Protection Regulation aims to give more protection of personal data for individuals as well as businesses and although there are heightened regulations around control, this is far from the only area covered by GDPR.
All aspects of the DPA are still included in GDPR and protecting against Data Loss is still a priority. The ability to protect and recover data has never been more important.
Working with trusted vendors and suppliers bears extra responsibility on both organizations as GDPR makes both data processors and data controllers liable. Redstor have been a trusted technology partner for thousands of organizations globally, for almost 20 years. By working directly with our community of users to develop and grow our technology offering, we have built a secure data-first backup and recovery platform.
The infamous Equifax data breach has once more expanded, the company announced last week that a further 2.4 million consumers in the United States... read more