As far as laws go, for the information management and security community, the General Data Protection Regulation (GDPR) falls firmly into the “game changer” category. It’s exactly 12 months until this regulation comes into force on May 25 2018.
When it does, it will effectively replace all data protection legislation across the EU – including the UK’s Data Protection Act (DPA). There’s no doubt about its significance – GDPR will usher in bolstered rights for individuals, a raft of new reporting and other obligations on the part of businesses – not to mention a rather daunting new fine tariff.
This is precisely the type of once-in-a-generation overhaul that can cause sleepless nights for even the most seasoned CISO.
>See also: What are US companies’ view on GDPR?
With just a year left before GDPR becomes reality, it’s is absolutely vital that all organisations – from big multinationals to SMBs – ensure they have a full understanding of what it will mean for their business and their customers.
However, despite this importance, many business we speak to still have a number of questions about what exactly GDPR means for them.
These include the following:
1. How does GDPR differ from Directive 95-46-EC (The Data Protection Act)
In short, certain areas of the law have been strengthened, while some brand-new concepts have also been introduced. Big changes include the following:
• Enhanced rights for individuals. These include the right to be forgotten (i.e. data erasure) and the right to have data transferred to another data controller (data portability).
• Data protection by design and accountability. When launching new products and services or introducing new technologies, organisations must be able to demonstrate compliance. This may include carrying out a data protection impact assessment.
>See also: GDPR compliance: what organisations need to know
• Transparency. Organisations must be able to provide extensive information to individuals about how their data is processed.
• Breach notification. A new requirement to notify supervisory regulators (the Information Commissioner’s Office (ICO) in the UK) where a personal data breach has occurred.
• A new fine regime. GDPR introduces much higher fines than the upper limits currently in place under The Data Protection Act.
2. Do I have to “worry” more about GDPR than the old DPA?
Under The DPA, the ICO currently has authority to issue monetary penalty notices of up to £500,000 for serious breaches.
By contrast, for a serious breach of GDPR, data controllers will be liable for a fine of up to four per cent of global annual turnover or up to £20 million – whichever is bigger.
>See also: General Data Protection Regulation: the BC/DR impact
For other breaches such as failing to keep proper breach log records or failing to report, the fine can be up to two per cent of global annual turnover or £10 million.
So from a purely financial perspective, the potential consequences of GDPR non-compliance are significantly greater than under the old regime. What’s more, information about sanctions imposed will be in the public domain – so possible reputational risks to the business also need to be considered.
Say, for instance, it becomes a matter of public record that you were unwilling or unable to report a serious breach to the ICO in a timely manner – or that you weren’t equipped to rectify a breach swiftly. Faced with this, it’s going to be tough to convince security-conscious customers that you are a ‘safe pair of hands’.
3. So do companies now have to report all data breaches?
Unless a breach is unlikely to result in a risk to the rights and freedoms of the individual, the need for notification to the ICO is triggered by any incident which leads to “accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to” personal data. In most situations, there is also a requirement to notify the data subject of the breach.
>See also: One year to GDPR: guide to compliance
Let’s take the example of a rogue insider who steals data from your organisation. If his haul includes customer account information – or internal personnel records, this almost certainly would be a reportable incident.
If the theft is confined to files relating to your upcoming new product range, despite being a catastrophic loss to the business, this wouldn’t fall under the requirement.
4. Will a data breach always lead to a fine under GDPR?
In itself, GDPR won’t stop data breaches happening – and nor will you automatically be looking at a fine if you suffer a breach. What happens after a reportable incident will depend on your ability to co-operate with the ICO; to give them the information they need and to explain whether the protective measures you had in place were appropriate.
>See also: 1 in 4 UK businesses have CANCELLED preparations for GDPR
In essence, the ICO will need answers to a number of questions:
• Were you able to report the incident within 72 hours of you becoming aware of it?
• Can you explain what happened, who was affected, the consequences and the measures you took to rectify it?
• Do you have a clear incident response plan – and did you follow it?
• Do you have an incident log?
• For the data processing operation in question, did you carry out a privacy impact assessment? If necessary, did you consult with the ICO for further guidance?
Similar to under the DPA, you are under a duty to implement “appropriate technical and organisational measures” to keep data secure.
There’s an ongoing duty to take into account the “state of the art” to ensure your framework is up to scratch; something that becomes especially relevant when upgrading your security infrastructure.
>See also: Benchmarking global readiness for the GDPR
5. Does Brexit change anything?
GDPR is a EU Regulation (as opposed to a Directive); so it comes into force automatically across the EU next May – without the need for an Act of Parliament to trigger it. The UK will still be part of the EU on that date, so as far as UK businesses (and any businesses dealing with the UK) are concerned, GDPR is happening.
GDPR is like nothing the business world will have experienced before. Yes, it is complicated, but it is necessary. Remaining informed on exactly what it entails and ensuring your business is compliant is going to be vital.
Sourced by Dr Jamie Graves, CEO, ZoneFox
The UK’s largest conference for tech leadership, Tech Leaders Summit, returns on 14 September with 40+ top execs signed up to speak about the challenges and opportunities surrounding the most disruptive innovations facing the enterprise today. Secure your place at this prestigious summit by registering here