Wouldn’t it be nice as a customer to have easier access to your personal data, to have the right to transfer your information between service providers without the red tape, to be in control of what data you want deleted without the worry of it being held in some system somewhere in the cloud? As a customer you also want to know if your data has been breached or hacked so you can decide what to do. This all sounds like some advert for a new mobile app or service that is going to cost you lot of money for a per-user licence model. You’ll be surprised to know that this is going to be free to all EU citizens under the General Data Protection Regulations (GDPR).
GDPR supersedes the Data Protection Directive (DPD) that was published in 1995 which became the Data Protection Act 1998 in the UK. GDPR was agreed and signed by the EU commission, EU parliaments and EU council in December 2015 and was published in January 2016. Businesses now have until May 2018 to ensure they are complying with the regulation.
So why the need for a new Data Protection Regulation? The first problem is the difference between a Directive and a Regulation. A Directive allows the member states to apply their own legislation to meet the objectives outlined in Directive the by a given date. This meant global entities doing business with various member states within the EU were bound by different legislations which lead to confusion, introduced corporate red tape and there was a lack of consistency between various countries within the EU in how the directive was applied. As the GDPR is a regulation which means it will need to be applied in full without the need for member state legislation. This creates a single digital market place within the EU protected by one law promoting consistency and confidence when processing EU data.
Another problem was that the DPD was published 21 years ago. In 1995 the world of I.T was a very different place. Smart phones, cloud and mobile computing had not been invented. We were all enjoying the 14K speeds of our telephone modems and Cybersecurity sounded more like a Ridley Scott film than a real life threat. Today’s modern world of I.T is very different; businesses are online 24/7, store large volumes of customer data and are under constant risk of a Cyberattack. GDPR brings data protection to the modern digital age and is focused on personal identifiable information by way of enhancing EU citizen’s rights. However, what does this mean to businesses outside of the EU? A topical debate considering the UKs recent referendum. GDPR has an extended reach in that, any entity handling a EU information for either, the sale of goods and services, or, to monitor behaviour will be bound by the regulation. Failure to comply with the regulation will inevitably lead to fine of 10M euros or 2% of your global turnover and a breach can lead to 20M euros or 4% global turnover, whichever is the highest.
GDPR is one of the biggest shake ups in EU law for the last 20 years. Its impacts are far reaching as it places the responsibilities firmly on the Data Controller (DC) and Processor alike. Under DPD the Data Processors (DP) liabilities were backed off to contract, but they will now be directly bound by the regulation. This stimulates clearer thinking within your supply chain and promotes a better working relationships between the DC and DP as during negotiation stages as it will be up to the DC to be satisfied that the DP has significant enough guarantees that they can process the data according to the regulation and the DC design. Businesses will need to appoint a Data Protection Officer (DPO) to ensure the correct Technical and Operational Measures (TOMs) are in place and carry out the necessary Data Protection Impact Assessments (DPIA) avoiding any sanctions.
As Compliance lead and DPO for The Bunker I have spent many years advising customers on how to protect their data. Although there isn’t currently any standard that guarantees compliance with GDPR, businesses will need to start mitigating their risk today by carrying out Data Protection Impact Assessments, reviewing their Technical and Operation Measures in place and leaning upon the other standards such as PCI-DSS and ISO frameworks. May 2018 seems a long way off to worry about the regulation, but businesses must act today in order to understand how far off they are to compliance.
The Bunker is a managed service hosting provider with over a decade’s worth of experience in deploying compliant, secure systems. Through the years we have built the necessary methodology’s that help meet the most rigorous of standards. We have known about GDPR for some time and have been evolved our services in preparation for this change.
Program Director/Data Protection Officer