The EU’s General Data Protection Regulation (GDPR) will apply from 25 May 2018, when it supersedes the UK Data Protection Act 1998. It is a strict new law that brings a 21st century approach to data protection. The GDPR consists of a new set of obligations on organisations to be more responsible for data protection. Covering the whole of the EU, it heightens the rights of individuals to control how their personal information is collected and processed. The GDPR also regulates the exportation of individual personal data outside the EU.
Companies will be challenged as they put systems and processes in place to comply. GDPR compliance is not simply a matter of ticking a few boxes and their standard are quite high. Regulations demand that that you should be able to demonstrate compliance with the data protection principles. This involves taking a risk-based approach to data protection, ensuring appropriate policies and procedures are in place to deal with the transparency, accountability and individuals’ rights provisions, as well as building a workplace culture of data privacy and security.
With the appropriate compliance framework in place, you will avoid significant fines and reputation damage. Moreover, there will be many business benefits including:
- Building customer trust
- Improving brand image and reputation
- Improving data control
- Improving information security
- Improving competitive advantage
Compliance will cause some concern and new expectations of security teams. For example, the GDPR takes a wide view of what constitutes personal identification information. Companies will need the same level of protection for things like an individual’s IP address or cookie data. As well as for name, address, health and genetic data, political opinions, sexual orientation, racial or ethnic data and social security numbers.
The GDPR defines that whoever holds a role within a company for ensuring compliance is the person responsible. The data controller defines how personal data is processed and the purposes for which it is processed. The controller is also responsible for making sure that outside contractors comply. Organizations must also inform customers of their rights under GDPR. The GDPR governing body will fine companies for data breaches and non-compliance. Non-compliance could cost companies greatly.
COMPLIANCE IS NOT A CHOICE AND TIME IS SHORT.