With the upcoming General Data Protection Regulation (GDPR), I wanted to share an interesting guest post from Rob Bickmore, Principal Security Consultant at NTT Security. Below, he explains what businesses need to know:
The countdown to compliance with the new General Data Protection Regulation (GDPR) has begun. Organisations providing products or services to EU customers or processing customer data from the EU will have to meet significant requirements before May 2018. Failure to comply with the regulation can result in fines of up to 4% of an organisation’s previous year’s annual global turnover or €20 million, whichever is greater. This means that substantial planning is required to ensure compliance with the new regulation as well as existing national data protection regulation.
Here is what you need to know:
Where data processing activities and any potential privacy breaches are considered high-risk, organisations will be required to conduct Data Protection Impact Assessments (DPIAs) resulting in additional cost and resource to operational projects. Evidence of DPIAs performed and any resulting mitigation activities will need to be maintained. The organisation may choose to perform DPIAs themselves or procure them as third party service.
Privacy breaches will need to be reported by Data Controllers to the Supervisory Authority within 72 hours of becoming aware of it. If the breach is likely to be considered high risk to the “rights and freedoms” of individuals, notification must also be made to those affected – unless adequate security controls such as encryption can be proven. Third parties who are processing data on an organisation’s behalf must report breaches to its respective Data Controllers and can be held liable for breaches if found not to have followed instruction on required security controls from controllers. Robust incident response and management processes will therefore be essential.
A Data Protection Officer (DPO) will be mandatory for some organisations including Public Authorities and any organisation obliged to do so by local law. A DPO will also be required if the processing includes large scale “regular and systematic monitoring” of data subjects or processing of Sensitive Data such as medical history, criminal records and religious beliefs. The DPO does not need to be an employee of the organisation, and may be provided as a Virtual DPO service from a third party but must be based within the EU.
Organisations will have to show evidence that privacy in a service or product has been considered from the concept stage and not only at the point of delivery.
Finally, individual customers will be able to request deletion of all their personal information processed or shared by a data controller. Individuals will also be able to request their personal information is made available, in a commonly used and readable format, in order to transfer it to another data controller.
The new General Data Protection Regulation (GDPR), put forth by the European Commission in 2012 and finally generally agreed upon by the European Parliament and Council in December, is set to replace the Data Protection Directive 95/46/ec. Although many companies have already adopted privacy processes and procedures consistent with the Directive, the GDPR contains a number of new protections for EU data subjects and threatens significant fines and penalties for non-compliant data controllers and processors once it comes into force in the spring of 2018.