Published in January 2016, the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) supersedes the Data Protection Directive (DPD). It is a Regulation by which the European Commission intends to strengthen and unify data protection for individuals within the European Union (EU). It also addresses export of personal data outside the EU and is due to be enforced on 25th May 2018.
This new act will be adopted this year but official enforcement will not begin until Spring 2018. This is to allow companies to understand the legislation and put the required measures into effect.
Businesses will now have to seriously consider how they handle personal data and assure themselves that those company’s in their supply chain maintain rigorous and diligent data management standards. Processes from collection, processing, retention and deletion may need to be revised so they are compliant under the stricter data protection rules.
Many business documents will also need to be reviewed to ensure they comply with the new regulations, such as contracts, risk assessments and business continuity plans.
If your organisation processes personal and/or sensitive data, you also need to appoint a Data Protection Officer (DPO) to help ensure the security of your data and protect the business. Failure to prepare will expose your business to the huge financial sanctions that could be enforced under the GDPR.
A ‘right to be forgotten’ will help people better manage data protection risks online – people will be able to delete their data if there are no legitimate grounds for retaining it.
People will be able to transfer personal data from one service provider to another more easily with the aim of improving competition among services
People must have easier access to their own data
Companies and organisations must notify the Data Protection Authority of serious data breaches as soon as possible (ideally within 24 hours)
Companies will need to employ a Data Protection Officer (DPO) to act as the principal point for all data protection undertakings
The roles of Data Processor and Data Controller are now bound by the GDPR and not contract
Businesses will need to start mitigating their risk today by carrying out Data Protection Impact Assessments, reviewing their Technical and Operation Measures in place, reviewing their supply chain and leaning upon the other standards such as PCI-DSS and ISO frameworks.
The May 2018 deadline may seem a long way off to worry about the regulation, but businesses must act today in order to understand what it will take to achieve compliance.
The Bunker has over a decade of experience in deploying compliant, secure systems. Over the years, we have built the necessary methodologies that help meet the most rigorous of standards and compliance regulations.
The GDPR will change the security culture for businesses. And the Bunker is well prepared. Our continual assurance approach ensures our customers remain fully compliant, mitigate risk and remain ultra secure, with our transparent, auditable and diligent IT processes to guarantee data protection requirements are met.
Along with our own experienced, in-house Data Protection Officer, we can work with you to help prepare for these changes and take the necessary steps towards ensuring full GDPR compliance.