EU GDPR, the new data protection regulation that comes into effect next year, is still widely misunderstood. Here are some points about it that will help you to navigate the new landscape.
Technically, GDPR has been in force since May last year. The date 25 May 2018 is when enforcement starts. This subtle but important difference means data protection authorities can begin applying fines and penalties to any non-compliant organisation from that day onwards.
The regulation applies to any organisation that processes and controls data about European Union citizens – regardless where in the world it is based, or the organisation’s size. The Institute of Directors has highlighted the need for UK businesses to prepare for GDPR.
Data protection officer
A study by the International Association of Privacy Professionals found that 80 per cent of organisations believe they will need a data protection officer. This person’s role is to work directly with their organisation’s senior management team to ensure they are aware of what they need to do to meet the regulation.
Organisations can hire, contract or appoint a data protection officer, who must have a detailed understanding of data protection practicalities and the legal aspects of GDPR.
Many people wrongly believe the regulation is security-focused but its primary aim is to protect EU citizens’ right to privacy. In fact, the phrase ‘information security’ appears just once in the text.
Speaking to an assembly of data protection officers in Italy in April, Europe’s Data Protection Supervisor Giovanni Buttarelli recommended that certification schemes “could bring great benefits” in helping organisations to navigate the concepts in the GDPR. A GDPR white paper by the security company Tripwire has suggested three possible security frameworks that organisations can use for benchmarking: ISO/IEC: 27001, the NIST cybersecurity framework or CIS Critical Security Controls.
Companies that lose data through a breach or security incident are likely to receive reduced penalties if they can prove to regulators that they “adequate measures”, such as encryption, to ensure the confidentiality of the systems holding that data.