The data protection and security landscape is all set for change next year with the new EU General Data Protection Regulation (“GDPR”). There will be regulatory burdens, but you can also use GDPR to bring some focus on what you do and improve your security stance. If you’re serious about security, GDPR can help. Remember…
- The new rules are part revolution/part evolution – the new system builds on the current one if you already comply with EU privacy laws you can build on those foundations;
- Don’t panic, plan instead – the full impact will come in 2018 but preparation now will pay off then.
We’ve been working on GDPR projects since the first draft came out in 2012. GDPR is a long document but here’s some highlights:
Security breach reporting
One of the most important changes is that there will be mandatory security breach reporting (subject to some ifs and buts).
Breaches must usually be reported to a regulator within 72 hours and those affected by the breach must usually also be informed – to do this you must have clear, practical, effective and immediate procedures. You’ll also need to get your vendors and suppliers on board – this is business critical so you can’t afford to get it wrong. Encryption could mean you don’t need to do as much however so this could be the time to get budget to improve your processes.
New rights are being introduced and existing ones tweaked, including.
- A new Right To Data Portability;
- An extended Right To Be Forgotten (called the Right to Erasure);
- An enhanced Subject Access Right – to be free and with a shorter time to
SARs could be used like DDOS attacks so make sure you have a process and are ready to respond.
Data Protection Impact Assessments (“DPIAs”)
DPIAs will have to be undertaken for some data processing operations. DPIAs put the compliance assessment burden on those handling personal data – but, used as a wider tool they help you get a better handle on your data processes and reduce risk. This should help you build privacy and security into the heart of what you do. There’s no set format – the key thing is to pick a process that is simple to understand and helps you get to the real risks quickly.
Increased enforcement will come about with the new regime, backed up by greater sanctions.
There are fines of up to €20 million or 4% of the global annual revenue of a business (whichever is the greater), with likely higher reputational damage resulting and the possibility of civil actions too. In some cases the new UK legislation can also lead to criminal penalties as well. This is the big stick for data protection compliance, but, getting it right will avoid major headaches.
What you need to do now?
Start preparing now and read our FAQs at www.bit.ly/gdprfaq or watch our film on YouTube at www.bit.ly/gdprfilm. You might also be interested in our GDPR Navigator subscription service which includes films, checklists articles and a monthly call to help plan for GDPR. The details of this service are at www.bit.ly/gdprnav
By Jonathan Armstrong
GDPR will also be part of the discussion in this year’s Security Serious virtual webinars. The full summit line-up includes setting the scene for the skills gap, chaired by Warwick Ashford, security editor of Computer Weekly; incentives that make the UK an ideal cyber security hub, chaired by Sarb Sembhi of Virtually Informed; artificial intelligence, chaired by Pete Warren from Future Intelligence; creative employment, chaired by Vicki Gavin, CISO of the Economist Group and neuro diversity, chaired by Brian Higgins from (ISC)².
You can find more information, including how to register here: https://www.securityserious.com/conference/ .