Why Data Protection Must Be The Way Your Organisation Both Thinks And Behaves In The Era Of The General Data Protection Regulation (GDPR)

Posted by Chris Scott

The GDPR marks a dramatic sea change in the way Personally Identifiable Information (PII) is collected, stored and shared by businesses of all sizes. It comes into force this summer and requires all organisations to implement a wide range of measures to prove they take data governance seriously.

Although many firms are blissfully unaware of its implications, if your organisation handles any form of Personally Identifiable Information (PII) you should be under no illusion: the GDPR applies to you!

It is now mandatory for your organisation to go public within 72 hours should if suffer a data breach. In other words, it’s no longer acceptable to keep a breach quiet and hope that nobody finds out.

The GDPR also introduces a host of new concepts. These include ensuring appropriate data governance, privacy by design, and mandatory Privacy Impact Assessments (PIAs). And if your organisation has more than 250 employees, you now need to appoint a Data Protection Officer (DPO).

Crucially, if your organisation is found to be in breach, it will now be breaking the law and subject to fines of up to €10m or 4% of global turnover.

New rules, major uncertainty

Described as the biggest shake-up to privacy regulation for 20 years, the GDPR is part of a wider European Union (EU) Data Protection Reform package designed to harmonise rules across the EU’s 28 Member States. Ratified and signed off by the European Commission (EC) and Council in April 2016, it is now European law, with member states having two years to comply.

The GDPR makes privacy and data protection integral to technological development and organisational processes and structures, and makes all parties within the supply chain accountable for assuring the confidentiality and integrity of the PII being held.

As such, the GDPR encompasses the supply chain in much the same way that the Payment Card Industry Data Security Standard (PCI DSS) v3.0 puts responsibility for compliance on the business itself – irrespective of whether it’s working with a third-party.

Any firm either providing or consuming IT applications and services under an outsourcing agreement for data centres, data storage, or Cloud Infrastructure and services must have a complete understanding of its obligations under the GDPR as a processor or controller of data, and implement the appropriate people, process and technological measures to assure compliance.

However, the GDPR does not cite any existing or future technical standards or codes as a means to secure compliance. Nor does it identify any specific agency or body to manage the process of accreditation, although approved codes of conduct are suggested as a way of demonstrating compliance (for both controllers and processors).

Moreover, running to about 200 pages, the legislation has been described as ‘fiendishly complicated’ and, unlike technical standards such as PCI DSS, is not prescriptive. Instead, it uses terminology such as ‘appropriate’ and ‘state of the art’ to describe the measures and mechanisms required to protect PII.

Identify what the GDPR means for you

Despite the complexity it brings, the GDPR does put an end to the patchwork of data protection rules across the EU and strengthens the right to data protection.

With firms having until 2018 to show compliance, it is imperative that they now do everything they can to protect the PII they hold. They must also have clear visibility of everything that is going on within their environment and across their supply chain. This means embracing a culture of security – not just within their own organisation, but also in everything they do and with everyone they deal with.

Make no mistake; the EU’s GDPR is a real game changer. Firms that underestimate its implications do so at great peril.

If you are breached, if something goes wrong and you lose data, you will be investigated under the powers of the GDPR and if it can be proven you haven’t behaved appropriately and have failed to put in the appropriate or state of the art measures to control, you will be subject to the full force of EU law.

Download our new white paper to gain a better understanding of the new rules and the practical steps you must take to ensure compliance, or speak to one of our experts on 01304 814800