June 30, 2017
General Data Protection Regulation
Regulation is the innovation
Any data protection law is mostly drafted with a certain amount of jargon and the General Data Protection Regulation (GDPR) is no different. Many of us can hear the clock tick as the European Union is set to implement a set of data protection regulations designed to protect
European citizens’ personal data. This regulation will affect anyone and everyone who will deal with EU citizens’ personal data, meaning that, yes, even if you are a non-EU-based company you will still need to comply.
Arguably the GDPR appears to be one of the biggest changes to the regulatory landscape of data privacy, the strength of which only time will be able to tell. As of now, the GDPR is set to be implemented in coming May 2018.
So, what has changed?
- Consent from a client for the processing of their personal data now should be done in an unambiguous manner, through a statement or a clear affirmative action.
- Reporting of a data breach to the Supervisory Authority must be done within 72 hours after becoming aware of a personal data breach.
- Data portability of one’s personal data from one electronic processing system to and into another, will not be prevented by the data controller.
- Data Protection Officers (DPOs) must be appointed in the case of public authorities or organizations that engage in large scale systematic monitoring and processing of sensitive personal data.
- An administrative fine of up to 10 million EURO or 2% of the annual global turnover (whichever is higher) can be charged for non-compliance with the obligations of a data controller or a data processor.
- Parental consent will be required to process the personal data of children under the age of 16.
- Privacy by design and default should be considered adequate to meet the principles of data protection.
- A Right to be forgotten may be obtained from the controller without undue delay and the controller shall have the obligation to erase the said personal data.
Rules of the game will be applicable to you if:
- You process personal data of subjects residing in the EU.
- You monitor behavior of EU residents.
- You have an ‘establishment’ in the EU.
- You sell goods or services to users over the internet including to the users in the EU.
How do you begin?
- Revisit the design of your processing operations, such that by default; personal data are only processed where necessary.
- Deploy regular checks on your data management system wherein third party suppliers have access to personal data.
- Conduct periodic privacy impact assessments.
What can the academy do for you?
- Conduct a six-week sprint to assess readiness of your data & define a remediation program in line with your risk appetite.
- Create organization wide awareness thereby helping relevant stakeholders to integrate GDPR solutions into their operational environments.
- Streamline your breach notification plan there by strengthening and unifying the safety and security of relevant data.
- Design and implement a sustainable privacy and data protection in accordance with ISO 27001.
A thought paper by Quick Heal Academy