In the next 12 months, the draft General Data Protection Regulation (GDPR) is due to be passed through European Parliament – the most significant change of its kind in a generation.
What does it mean? How will it affect organisations across the world? What does your IT department need to know? We take a look:
Why is the GDPR being launched?
Currently, data protection regulation varies across the EU. Each country will have their own specific method of dealing with personal data breaches, and some are much more litigious than others.
The Information Commissioner’s Office, for instance, which deals with data protection in the UK, is much more active in pursuing organisations and public sector bodies that flaunt its guidelines while French and German authorities are both less aggressive and have fewer statutory powers to punish unethical organisations.
The GDPR is a piece of regulation that seeks to unify and standardise data protection across the EU’s 28 member states.
What’s more, current EU data protection laws are somewhat outdated. The last major change came about in 1995 and there are no regulations in place to deal with social networking information, secure business file transfer needs, cloud computing and the so-called ‘right to be forgotten’. It’s hoped that the GDPR will bring the EU up to speed with modern data processes and clarify what exactly is expected of organisations that handle private customer information.
It’s important to note that this new regulation has yet to be set in stone, but it’s certainly a case of ‘when’ rather than ‘if’. While policy negotiations are still currently ongoing, it’s expected to be adopted by early 2016 and enforced from 2017.
What does this mean for organisations?
Any companies, whether European or not, that deal inside the EU will have to abide by the regulations. What’s more, failing to adequately protect data will come with increasingly stringent punishments. Fines could be as large as €100m, or 5% of a company’s turnover.
This means that it will be more important than ever for some organisations to change the way that they handle data.
The new plans are both good and bad news for IT departments. Although the punishments are certainly harsher than in any current EU countries, the harmonisation of data protection regulations across the bloc means that compliance should be significantly easier.
Companies are being given greater transparency, making it more efficient to do business in Europe, but in return they’re expected to be more accountable than ever before.
Are you ready?
If your IT department isn’t yet, don’t worry – you’re in good company. A recent survey by Ipswitch found that more than half of respondents didn’t even know what GDPR meant, while 35% weren’t aware if their current IT policies would be up to scratch.
However, because the regulations are yet to be set in stone, there are no concrete guidelines that yet have to be adhered to. But we already know that organisations must:
- Incorporate clear privacy policies
- Be able to delete customer data on request
- Provide individuals with an electronic copy of their personal data
What to do before the GDPR lands
What’s more, there are a number of steps that your IT department should take in order to get the culture of your organisation ready for the GDPR:
- Oversee data compliance – employ a data protection officer to ensure that all stakeholders are aware of their duties
- Assess your data – conduct a thorough audit of the personal data that’s held in your organisation
- Review your contracts – understand which third parties have access to your data. Find out how they store and encrypt it
- Locate the data – find the separate places that personal information is found and eliminate, if possible, any unnecessary locations
- Limit privileges – ensure that only the most necessary people have access to personal data
- Establish and strengthen policies – ensure that there are policies available to meet all privacy requirements
- Insist upon encryption – use data sharing that uses top-level encryption as standard
If you’re confident that your organisation is handling data correctly, you can apply for an EU Data Protection seal which, if accepted, would certify your personal information processes for five years and get you ready to deal with everything that this new EU legislation has to throw at you.