Data protection law is essential – it protects both customer and business data from being accessed by illegitimate third parties. While its use is clear, there is growing evidence that it has struggled to keep up with the rapid pace of change in technology. The laws surrounding data protection come from EU legislation created in 1995. After two years of arduous discussion the EU is finally ready to update these vital laws.
The General Data Protection Regulations (GDPR) are sweeping changes that will strengthen data protection law. On the surface of things this may seem like an exceptionally complex set of rules that will only be understood by legal experts. However, there are some simple take-homes that will mean wide changes to the ways in which businesses manage data on a day-to-day basis.
GDPR is a Regulation
The EU will either release regulations or directives. A directive is something that individual member states have to introduce as law and can enact on any timescale they wish. A regulation like the GDPR is a law that instantly applies across all member states.
Who will be affected?
GDPR will only initially apply to organisations with more than 250 employees that are processing more than 5,000 records annually but this will be extended to all organisations eventually. In sharp contrast to current data protection laws businesses based outside the EU but operate within it, will also be affected by GDPR.
Organisations will have to identify what bits of data they hold are classified as personal, where it is stored and what format it is in. This aims to encourage businesses to collect and store less data because of the costs of having management oversight of data storage.
Some companies exist to advise on complying with GDPR but the scale of these regulations means most organisations will need to develop structures to manage compliance internally.
Privacy and Consent
GDPR reinforces the privacy of personal data which will mean changes to the way data is collected. All data gathering must be done with explicit rather than assumed consent. Data subjects also have the right to withdraw from collection. It therefore will not be possible to simply accumulate and hold on to data.
If an organisation discovers a breach that could have data protection implication they will have 72 hours to report this to the local information commissioner. Full breaches will mean a fine of either €1 million or 2% of global turnover, depending on which is greater.
One defence against breach notification is to store data in an unreadable or inaccessible state. This means encryption can be used to prevent notification but it means encrypting all personal data not just parts like current procedure is.
‘Right To Be Forgotten’
This shook the data protection world when the ECJ introduced it in 2014. GDPR will change this to a limited ‘right to erasure’. The details of this are still uncertain but it will almost certainly be determined by future court rulings.
Any personal data moved outside the EU to be stored has to comply with GDPR. This includes the use of cloud providers based in the US.
Is your business ready for GDPR? Do you think advanced data protection laws are necessary? Share your thoughts in the comments and on our social media pages.
Learn more at Cyber Security Europe, part of IP EXPO Europe 2016.