Although the article 50 was triggered and in 2 years time Great Britain will no longer be part of EU; General Data Protection Regulation is still relevant. The new data protection laws ensure the same privacy rights across the EU member states – and regardless of where their data is processed.
Firstly, GDPR is not something that only EU member states should follow but applies to organisations that are not located within the EU but offer goods, services or behaviour monitoring of data subjects in the EU. As a result, everyone who collects and process data of EU citizens must implement the new measures and be able to demonstrate the compliance.
Secondly, the UK government has confirmed that the GDPR regulation will be applied regardless of Brexit.
So, what are the most significant changes?
- Personal Data definition is more detailed and wider, for example, it includes online identifiers (e.g., IP, cookies). Additionally, personal data that has been pseudonymised also may fall into GDPR. Sensitive personal data now includes biometric and genetic data.
- Getting a valid consent to process data from the user will be much harder. It will have to be written in easy to understand language and be clear what they will do with that information. The thing to remember is that silence or inactivity doesn’t mean ‘yes’.
- The user has a right to take his data with him (when moving to competition on closing account).
- When the data breach occurs, authorities must be informed within 72 hours. It’s already a law in Netherlands – now it will apply everywhere.
- Privacy Impact Assesment will be mandatory. And it should be done before a project which involves personal information even starts.
- Some organisations will have to have Data Protection Officer. That depends on a size of the organisation and how much personal data it deals with.
- Right to be forgotten. There are six conditions under which companies have to remove personal data without delay.
- Data protection will no longer be a sole responsibility of controllers; it will also be processors responsibility.
- Data protection by design and by default. Every system will have to be designed with data protection in mind.
- One stop shop for supervisory authorities in Europe will be introduced. That means that any European data protection authority will be able to take action against company anywhere in the world.
- All it is enforced with fines of up to €20m or 4% of group annual global turnover.
The fines are high, and the deadlines are short. The regulation comes into effect on 25 May 2018.
The sheer size and diversity of the data stored and processed by many organisations make the challenge a daunting one. In the most simplistic terms, the key implication is that every company must fully understand what personal data it holds. It sounds simple but trust me it’s not. For example, do you even know where and how IP addresses are stored and processed in your organisation? You may find it in various places, stored on web servers, load balancers, proxies, backups, firewalls, IDS/IPS devices, CDNs, various log files, analytics software, advertising, databases, warehouses, data lakes, reporting systems, etc…
There is also a need for organisation-wide data-protection policies, strict access controls, rigorous governance schemes, maintaining auditable records, annual data protection audits. Finally, a rapid detection and reporting of data breaches, and the most important one the ability to find, report, modify or remove personal data on request and within prescribed time limits. Most data processing systems have not been designed to do this. There is rarely a centralised catalogue of all the data stored across all systems. The Big Data mantra used to say “store everything forever” or never delete anything just set a flag “deleted“.
With so many data breaches we need better protection. It’s not an easy task, and there’s a lot of work ahead. What’s important that we all do our best to secure this data.
Because it’s our data and we should care!