September 13 2016
For several years the European Commission has been planning a new Data Protection Regulation for European member states. Designed to provide a common legal framework for data protection law and to protect the data assets and privacy of individuals within the EU, the GDPR represents the biggest shake-up of data protection regulation in more than twenty years. Now that the process of agreement has been completed and the GDPR is finally a reality, the time has come for businesses across the spectrum to prepare for the new data protection landscape.
What is the GDPR?
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a new regulation which is intended to strengthen and unify data protection law within the European Union. Through a range of far-reaching provisions, the European Commission aims to give data subjects across Europe increased ownership and control over their personal data assets – ensuring the right to a private life - and to provide a simplified “one-stop shop” regulatory environment for the acquisition, the use and the storage of the personal data of European citizens.
The GDPR will bring data protection regulation into the 21st century; designed with today’s technology in mind, it will replace the outdated Directive 95/46/EC, which dates back to 1995.
Who Will Be Affected by the GDPR?
The GDPR will apply to any business or entity, regardless of their geographical location, that holds or processes the personal data of EU citizens. This means that the scope of the GDPR will extend beyond the European bloc to include any entity which holds or process the data of individuals within the European Union.
“All data formats will be regulated by the GDPR - audio, video, photographs, IP addresses, device ID’s and cookies - are all covered by the regulation.”
“Personal data” is defined as any data which may be used to identify an individual, either directly or indirectly, or as part of a collection of data spread across multiple systems. The GDPR has a broad definition of personal data and includes genetic, biometric, cultural, political, economic, social, mental and religious information.
All data formats will be regulated by the GDPR. For example, analogue and digital formats including audio, video, photographs, IP addresses, device ID’s and cookies are all covered by the regulation.
The Key Points
The GDPR is a complex piece of legislation that will require a detailed analysis in order for entities to fully understand how it will impact their working practices. Some of the key points of the GDPR include:
- Enhanced personal rights for data subjects, including:
- The right to be forgotten
- The right to data portability
- The right to greater access to personal data
- The right to sue entities for failing to comply
- Increased importance in obtaining consent to hold and process data – this consent may be withdrawn by the data subject at any time
- “Privacy by Design” – privacy must be built-in to data processing and handling procedures
- Breach disclosure: increased transparency through the mandatory reporting of security and confidentiality breaches to regulators and those affected within specified timeframes
- To conduct routine Privacy Impact Assessments (PIA’s) to regularly monitor exposure to risk
- The requirement to appoint a Data Protection Officer (DPO)
- Increased sanctions: the GDPR gives regulators the right to impose substantial fines for non-compliance – up to 4% of global turnover
When Will the GDPR Come into Effect?
The GDPR was published in the EU Official Journal on May 4th, 2016 and entered into force 20 days later on the 24th May. The regulation will become applicable on May 25th 2018, which gives all affected entities less than two years to ensure that their data storage and processing operations meet the new compliance requirements.
The GDPR timeline
What Should Businesses Do Now?
With less than two years to go until the GDPR becomes applicable, it is vital that businesses and other affected entities engage with the regulation and begin the journey towards compliance as soon as possible – time is short and there is considerable work to be done.
An enterprise-wide review of all data acquisition, storage and processing practice is a vital first step in understanding how and where the GDPR will affect the business. This will enable businesses to identify any required changes to infrastructure and provide a knowledge-base from where they can start to build compliance into their policies and procedures.
Organisations should consider how they will locate and access all of the data that they hold – all held data that can be used to identify an individual, including voice calls and video recordings, must be easily located and distinguishable from the data of other individuals. Businesses should address any archived data that might be held on aging physical media formats which could impede the ability to complete this task (tape-based and optical media for example) and establish whether or not it is necessary to continue to hold that data.
“Technology which is no longer supported by manufacturers or solution vendors will pose an increasing compliance risk for any businesses that continue to rely upon it.”
If it is necessary to hold the data, then it should be migrated to a platform that can benefit from today’s advanced search capabilities to provide greater security and longevity. All businesses should consider the long-term viability of their storage solutions and identify any current infrastructure that may be approaching its end-of-life. Technology which is no longer supported by manufacturers or solution vendors will not be able to offer businesses the best-of-breed levels of data management required by today’s regulations and will pose an increasing compliance risk for any businesses that continue to rely upon it. Replacing such technology and migrating data onto a secure platform sooner rather than later will pay great dividends in the long-run.
A proactive approach to risk management is a common theme across many emerging regulations, such as the GDPR and MiFID II. Increasingly, businesses are being expected to demonstrate to regulators that they have taken all reasonable steps to mitigate exposure to risk, whilst customers and data subjects demand the best possible security for their valuable data assets. For all entities facing the GDPR - and other similar regulations - this inevitably means tackling some considerable challenges ahead. But, the technology available to businesses to address these issues has never been more capable and by taking advantage of advanced data security coupled with best-of-breed search and analysis technologies, these are challenges that can not only be overcome, but turned into exciting new opportunities. Through the aligning of modernised data protection law across Europe, in tandem with increased transparency and greater rights for individuals, the GDPR will enable businesses to capitalise on these opportunities as they take a step closer to a Single Digital Market and reap the benefits of a boost in consumer confidence.
For further information about the GDPR contact Weston Digital Technologies today and find out how we can help your business become compliant.