GDPR stands for General Data Protection Regulation and starting from 25th of May, everyone in European Union will have to comply to the new rules.
What does GDPR mean?
Since the WEEE directive in 2006., the GDPR is the most significant change in data protection legislation. GDPR is a new EU regulation which has been designed to update the existing Data Protection Directive. Enacted in 1995, the existing directive was established before the days of widespread internet use, which has fundamentally changed the way we create, use, share, and store information. GDPR is a way to unify approach to data privacy and security. And ultimate goal of GDPR is to simplify and update the protection of personal data.
With its enforcement date approaching, here are some key points to consider in preparing your organization for GDPR compliance.
- Wider Geographic Scope – You don’t have to be based in Europe for it to apply. Any company that does business with EU is subjected to GDPR. Even if you are offering a free service you may be subject to the GDPR.
- Data Protection Authorities - DPA’s will have more power to enforce much more severe penalties for any kind of breaches of personal data.
- Personal Data – Definition has widened, and now it include IP address or other online identifier.
- Long illegible terms and conditions – No more of “reading” numerous of Terms & Conditions page(s). Most of us have just swiped them through without even looking at it.
- Technical and organizational measures – They become mandatory, this relates to hashing and encryption of personal data – the ability to ensure confidentiality, integrity, availability, and processes to test effectiveness of security measures.
- Data Processing Registries – Also become mandatory, this means that organizations will need to keep a written (electronic) record of personal data processing activities, capturing the lifecycle of the data.
- Data Profiling – Data protection impact assessments are required for technology or processes.
- Personal Data Breaches - Any breach that happens to either personal or business account must be reported to client within 72 hours of becoming aware of them. If it is business account then those individuals must be informed “without delay”.
- Data Protection Officer – All organizations that monitor large scale of data processes will be required to have one - Data Protection Officer. DPO monitors organisational compliance with the regulation and must report directly to the organizations highest management level, must be able to perform tasks in an independent manner, and cannot be penalized or dismissed for performing their duty.
- Attaining Data protection – By default and by design, privacy calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition.
Technical and legal changes required to comply with GDPR are big, and will require changes at an organizational level. The GDPR will apply to all companies that offer goods or services to - or monitor the behavior of EU citizens. It applies to all organizations established in the EU, and also to companies based outside of the EU if they have EU citizens as customers. Although the UK is planning to leave the EU, UK companies will still need to comply with the GDPR because of the cross-over period after the GDPR is in force and before the UK exits the EU. Another reason for UK companies to comply is that many will continue to have EU citizens as customers following Brexit.
This will do good for both clients and businesses as it will eventually increase trust between customers and companies, it will also standardize of IT processes across the EU and finally it will add to better data security.