In May 2018, the General Data Protection Regulation – the GDPR – will come into force following the EU’s 2016 decision to adopt the measure. The regulation covers the way personal data is processed by both private companies and public bodies across the entire European Union. The main focus is on protecting citizens with regard to the processing of their personal data and on guaranteeing the free movement of data within the EU. So far so good, then, as the new regulations offer a number of advantages from a data protection perspective. However, for businesses they give rise to some major challenges, not the least of which is the duty to implement the measures by May 2018. And while the GDPR doesn’t exactly reinvent the wheel, it does involve some new provisions and the addition of greater detail to existing ones. Read on to find out what this all means for your business and how you can prepare for the changes in good time.
OEven though Switzerland is not an EU member, the new guidelines will have a major impact on Swiss companies. The GDPR applies to all businesses within the EU as well as companies in other countries – irrespective of their size or the industry involved. This affects not just businesses that trade within the EU but also those with employees from the EU and those that process data from or within the European Union. We can also expect to see Swiss legislators tighten up domestic laws.
The GDPR is based on the currently applicable EU Data Protection Directive 95/46/EC, from which many provisions have been transferred – albeit in a stricter form. Challenges arise not just from the scope and tough demands of the new measure but also the implementation timetable it imposes. By May 2018, all organisations will need to have ensured compliance with its rules.
Here is a brief extract from the most important requirements:
- Data breaches must be reported to the responsible data protection authority; within 72 hours; in serious cases, the affected parties must also be informed.
- The principles of “privacy by design” and “privacy by default” require those processing the data to guarantee adherence to data protection rules even in terms of the equipment and technology used.
- Data portability: Data owners / interested parties can demand the release of their data at any time in a usable form, for example for switching to other providers. As a result, market entry barriers will be reduced and competition strengthened. Interested parties will also have the right to the erasure of all personal data.
- The GDPR requires that in high-risk organisations, a data protection officer (a representative in the EU, if affected persons are in the EU) must be responsible for information security. It is, however, a fact that very few organisations will not be affected by this rule when the new law comes into affect – whether at high risk or not!
- Complex projects will require an assessment of the data protection implications to be made in advance as well as notification to be given to the supervisory authority where high residual risks remain.
This, then, is just an excerpt of the list of provisions. Only very few of the new data protection guidelines are currently being followed by businesses or are already being tested as part of a BCM process.
Seeing the GDPR as an opportunity
At first sight, the new rules might well appear to represent little else than disadvantages. For many companies, however, they also offer opportunities. For example, when trading across borders, businesses will no longer need to spend money adapting their practices to fit country-specific variations. Meanwhile, uniform standards, legal clarity and transparency will help create a level playing field with regard to the handling of personal data. In addition, the data portability rules will be of benefit to smaller companies and start-ups, as it will be easier for customers to switch providers.
Preparation is key!
The consequences of breaching the GDPR could be expensive for businesses. The EU can impose fines of up to EUR 20 million or 4% of a company’s annual turnover, as well as other sanctions. This is a frightening scenario that has worried many businesses. It represents yet another reason for taking the GDPR seriously. Even if your own business is not specifically affected, it’s important to examine your own compliance with data protection rules and to raise awareness of the issues among your senior managers. And as, in our experience, implementation can take up to two years, it’s best to get started now!
The following eight steps can help you prepare for internal implementation in the optimum way:
- Nominate – if you haven’t already done so – a data protection officer, who will be responsible for implementing the GDPR’s provisions right from the start.
- Subject your processes and systems to a periodic gap and risk analysis so as to detect any loopholes and tackle them in a targeted way.
- Identify personal information and find out what data is stored where and who has access to it.
- Use the resulting findings to adapt your processes to fit the new data protection guidelines, restrict access to sensitive data based on the “need to know” principle, and monitor compliance.
- Carry out dry runs to test the most important requirements, such as data erasure, data export / data transferability, authorisation for the use of web user and behaviour data, as well as incident / breach detection and escalation including reporting.
- Document your data processing procedures in order to produce evidence that you are adhering to GDPR provisions.
- Utilise systems for complying with data governance and data encryption requirements.
- Operate continuous monitoring (cyber defence centre services) with an adequate time frame for storing log files.
If you work through these steps carefully, you will have nothing to fear – despite the extensive list of rules included in the GDPR. Even so, it's always advisable to seek guidance from experts when the legal framework is undergoing such an extensive change. InfoGuard is your reliable partner in this field. We can assist you at every step of the way, from analysis, strategy definition, and implementation of network and security solutions to the ongoing monitoring and control of your systems. Thanks to our many years of broad experience in a wide variety of industries, we can offer you professional services that you can trust!
Please contact us - without obligation - and our specialists will contact you. We are looking forward to assisting you in matters of GDPR.
P.S. Was this article helpful to you? We appreciate your feedback and / or suggestions.