In January of this year the European Commission revealed a draft of its European General Data Protection Regulation
(GDPR) to replace the previous Data Protection Directive.
What is it?
The old EU Data Protection Directive
was created to regulate the possession of personal data within the European Union. The new GDPR is designed to give individuals more control over how their personal information is used by businesses. It’s aim is to harmonise the current data protection laws in place across the EU member states. The fact that it is a “regulation” instead of a “directive” means it will be directly applicable to all EU member states without a need for national implementing legislation.
The new EU-wide law will apply to all businesses and organisations across the continent, and will require them to ensure that personal data can be identified and quickly deleted from systems. Any data breaches must be reported promptly to data protection authorities, among other stipulations.
Companies that don't abide by the new rules could face fines of up to 4% of their revenue. (For Facebook this would be the equivalent of $500m in 2014)
The new rules will create huge challenges to many companies that will need to completely reconsider the way they handle European data, whether it's inside or outside the EU. Many of them will struggle to make the necessary internal adjustments in the following two and a bit years, before the new rules go into effect in 2018.
How to prepare for the new legislation
The Information Security Forum (ISF), has identified the top five actions to take:
1. Get your privacy policies, procedures and documentation in order and keep them up to date: data protection authorities will be able to ask for these at any time.
2. Form a governance group that oversees all your privacy activities, led by a senior manager or executive. If you have over 250 employees, appoint a data protection officer. The group should develop metrics to measure the status of privacy efforts, report regularly and create statements of compliance that will be required as part of your organisation’s annual report.
3. Implement a breach notification process and enhance your incident management processes and your detection and response capabilities. Any data breach must be notified to the relevant data protection authority, even if protective measures, such as encryption, are in place; or the likelihood of harm is low.
4. Prepare your organisation to fulfil the "right to be forgotten
", "right to erasure" and the "right to data portability". A strategy covering topics such as data classification, retention, collection, destruction, storage and search will be required – and it should cover all mechanisms by which data is collected, including the internet, call centres and paper.
5. Create and enforce privacy throughout your systems' lifecycles to meet the "privacy by design
" requirement, whether you buy or develop. This will ensure privacy controls are stronger, simpler to implement, harder to by-pass and totally embedded in a system’s core functionality.
Telehouse offer local expertise and multilingual customer support to help customers with the country specific challenges of setting up and managing their IT projects in foreign regions.
For further information contact your account manager or email email@example.com