Enterprises need to plan now for the implementation of the new General Data Protection Regulation (GDPR)
In order to be ahead of the laws set out in the GDPR, enterprises will need to appoint a Data Protection Officer (DPO) ahead of when the bill comes into enforcement – at least that’s the opinion of M-Files, a data & document management company.
The GDPR (also known by the less catchy Directive 95/46/EC), is a new set of rules that define data protection standards and laws across the EU. It encompasses all the key elements from article 8 of the European Convention on Human Rights, which enshrines the right to privacy in citizens’ personal and family lives.
Approved in January of this year, the legislation is expected to become law by the end of 2017. This gives companies roughly 18 months to ensure they’ll remain compliant when these new rules come in.
Julian Cook, Director of UK Business, M-Files, stated: “Enterprises need to address the compliance, budgetary and risk factors associated with the introduction of the Directive now. Article 35 of the GDPR mandates that all organisations no matter what the size, must have a DPO, but this may not be enough to drive change and give executive management the visibility and insight it needs as it relates to compliance. The role of the DPO not only includes advising on and monitoring GDPR compliance, but representing the company when contacting the supervising authority or the Data protection authority, which in this position is so critical.”
The new Directive will also see the introduction of a new, tiered fine structure. A company can be fined up to two per cent of their annual turnover for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach (articles 31 and 32), or not conducting impact assessments (article 33). More serious infringements merit a 4 per cent fine, such as a violation of basic principles related to data security (article 5) and conditions for consumer consent (article 7).
The GDPR also requires that the DPO will need to notify the appropriate supervisory authority of a personal data breach within 72 hours on learning about it if it results in risk to the consumer. The GDPR notification is not more than just saying that you have had an incident. Organisations will need to include categories of data, records touched, and the approximate number of data subjects touched.
“But it is not just creating a new role to challenge the risks associated with the GDPR. It is also about the issue of compliance and organisations also need to seriously address today’s highly mobile workforce to prevent potential data breeches and the issue of risk head-on,” added Julian. “According to research M-Files conducted in 2014, 25 per cent of employees say their company has experienced information security breaches, data loss, non-compliance issues, loss of control over documents through employee use of personal file sharing and sync tools at work.”
One way of addressing these challenges is through the use of leading Enterprise Information Management (EIM) solutions to provide the simplicity that employees desire, but the control businesses require. EIM helps simplify processes in a variety of ways. For example, with metadata-driven EIM solutions, content classes can easily be determined for enabling quick access to non-sensitive content while securing confidential information.