European professionals can hardly miss the imminent arrival of the General Data Protection Regulation (GDPR), which comes into force in European Union states in May 2018 (the UK will not be exempt, despite Brexit). Since the new year, there’s been a flurry of news, briefings, conferences, as everyone realises 2018 is now only Next Year, and for some organizations there may still be a lot to do….
GDPR reinforces existing obligations on data controllers and processors, in order to further safeguard individuals’ data. Organizations should be transparent about what data they hold, why they do so, and for how long. Critically, they must also have the documentation in place to show they have the legal right to process this data, and to demonstrate how they are behaving in an accountable manner. Individuals should be able to check what data is held on them easily (ie through having online access to your systems) and be able to have it corrected, amended or deleted.
For global companies, whether or not you are required to comply will depend on where your decisions about data processing are made. This responsibility could reside with your local EU country managers, or at a head office elsewhere in the world. However, we’d suggest the principles are valid wherever you are based.
One aspect of the regulation that organizations need to consider closely is management of data breaches. The UK’s Information Commissioner’s Office (ICO) says:
“A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.”
Where a breach is likely to result in a risk to the rights and freedoms of individuals, then the relevant supervisory authority should be notified within 72 hours, and – if appropriate – affected individuals, or the wider public should be told without undue delay. Failure to do so may result in a fine of up to 10 million Euros, or 2% of your global turnover.
To prepare for breach reporting, the ICO says:
“You should make sure that your staff understands what constitutes a data breach, and that this is more than a loss of personal data.
You should ensure that you have an internal breach reporting procedure is [sic] in place. This will facilitate decision-making about whether you need to notify the relevant supervisory authority or the public.
In light of the tight timescales for reporting a breach – it is important to have robust breach detection, investigation and internal reporting procedures in place.”
Guidelines on notification of personal data breaches are being developed by the EU’s working party at the moment. We’ll update you in due course.
At LigaData, we obviously have a significant interest in the requirements driven by this regulation on the companies we work with.
Our business is built around helping organizations detect and respond to enterprise threats, including identifying and addressing data breaches in the most thorough and timely manner possible. Our products are likewise focused on meeting all of the data governance requirements imposed by these directives, including full transparency into the source, location, and lineage, and provenance of all data flowing through a company’s ecosystem.
If you’d like to talk to us about how we might be able to help you with any of these challenges, please get in touch at email@example.com.
Further reading from the EU and the UK’s Information Commissioner’s Office:
- EU fact sheets on Data Protection Reform: http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=52404
- ICO GDPR overview: https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/
- 12 steps preparation: https://ico.org.uk/media/for-organisations/documents/1624219/preparing-for-the-gdpr-12-steps.pdf
- More about breach notification: https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/breach-notification/