The General Data Protection Regulation (GDPR) will come into force on the 25th of May 2018, replacing the exisiting data protection framework under the EU Data Protection Directive. The GDPR will mean that organisations involved in data processing of any sort need to be aware the regulation addresses them directly in terms of the obligations it imposes. What does this mean for your company you ask? Well if you do not comply you can expect fining capabilities of up to €20,000,000 or 4% of your global turnover, whichever is greater.
The GDPR emphasises transparency, security and accountablility by data controllers, while at the same time standardising and strengthening the right of European citizens to data privacy.
The sooner you begin to prepare for the GDPR, the more cost-effective it will be for your organisation. The GDPR gives data protection authorities more robust powers to tackle non-compliance. It will make it considerably easier for individuals to bring private claims against data controllers when their data privacy has been infringed.
One of the basic rules will require organisations (the data controllers) ensure that personal data is “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”
The introduction of the new rights will allow customers to persue either data controllerd or data processors for all the compensation owed to them for the damage they have suffered from a data breach. The processor will only be held liable for any damages caused from processing that did not comply with the new legislation.
Organisations must now now minimise their data collection of personal information, delete any personal information that is no longer required and secure all data through its lifecycle. This can be done through data encryption and filing in a secure location.
The underlining message from the GDPR is for organisations to become aware of their data – identify where sensitive data is stored, recognise who is accessing the data through an audit trail and assess if the correct individuals are accessing this information.