What does it mean?
General Data protection regulation as proposed by the European commission (GDPR EU) will strengthen and unify data protection for individuals within the European Union, whilst addressing the export of personal data outside the EU. The announcement of an agreement to finalise the EU General Data protection regulation was made in 2015 and following a vote in parliament, the compliance deadline for GDPR was set for May 2018.
What are the new requirements?
Privacy by Design
Privacy by Design (PbD) has always played a part in EU data regulations. But with the new law, its principles of minimising data collection and retention and gaining consent from consumers when processing data are more explicitly formalised.GDPR article 23 outlines the consequences of data protection by design and data protection by default.
Data Protection Impact Assessments (DIPA)
When certain data associated with subjects is to be processed, companies will have to first analyse the risks to their privacy. This is another new requirement in the regulation mentioned in the GDPR text of article 33.
Right to erasure and to be forgotten
There’s been a long-standing requirement in the DPD allowing consumers to request that their data be deleted. As outlined in GDPR article 17 the GDPR extends this right to include data published on the web. This is the still controversial right to stay out of the public view and ‘be forgotten’.
The new principle of extraterritoriality in the GDPR says that even if a company doesn’t have a physical presence in the EU but collect data about EU data subjects, for example, through a website then all the requirements of GDPR are in effect. In other words the new law will extend outside the EU. This will especially affect the e-commerce companies and other cloud businesses.
GDPR article 31 outlines a new requirement not in the existing DPD is that companies will have to notify data authorities within 72 hours after a breach of personal data has been discovered. Data subjects will also have to be notified but only if the data poses a ‘high risk to their rights and freedoms’.
GDPR has a tiered penalty structure that will take a large bite out of the offenders funds. More serious infringements can merit GDPR penalties of up to 4% of a company’s global revenue. The incursion of GDPR fines can include violations of basic principles related to data security – especially PbD principles. Article 28 sees the imposition of a lesser fine of up to 2% of global revenue (still enormous) can be issued if company records are not in order or a supervising authority and data subjects are not notified after a breach. This makes breach notification oversights a serious and expensive.
Overall, the message for companies that fall under GDPR is that awareness of your data is absolute key
- Where is your sensitive data stored?
- Who is accessing it?
- Who should be accessing it?
Asystec can help you with all of the above.