Additional contributor: Ben Banks, Director, Information Security
Privacy and Data Protection have a long legal history that is traceable to the principles of justice and fairness, which were first articulated in the Magna Carta of 1215. These rights were more succinctly defined in modern times, in 1948, under the 12th Article of the Universal Declaration of Human Rights, which established the right to a private life.
This history continued with OECD guidelines in 1980 and, in Europe, through into the European Commission’s Data Protection Directives in 1995 subsequently used as the basis for individual European countries data protection laws.
In 2012 an update to the Data Protection Directives was proposed. The General Data Protection Regulation (GDPR) was intended to be a wholesale update of the European data protection laws that reflected the changes to the use of personal data in the pervasive internet age. On May 28, 2018, GDPR becomes law across Europe.
Here, we will discuss what you need to know and expect from GDPR beginning this year.
GDPR’s key notes
The GDPR regulation offers several important changes for organizations that either collect or use personal data need to be aware of:
- Creates a single European regulatory authority and a single pan-European law with allowance for more stringent national regulations
- Establishes joint liabilities between firms acting as data controllers (those that collect personal information) and those acting as processors (those who have been given access to personal information by the controllers for a specific purpose)
- Make mandatory, the need to establish an appropriate legal basis for the use of personal information that is clearly communicable to individuals from whom the data is collected
- Gives individuals extended rights related to their information such as a right to be forgotten, right of rectification, right to withdraw consent and right to get a copy of their information
- Provides high-level principles related to how applications behave when handling personal information incorporate privacy by design and by default, and reiterates the existing legislation requirements to have the appropriate technical and organizational measures to ensure the security of that information
- Reporting significant data breaches within 72 hours
- Brings into law the requirement that the GDPR applies wherever the personal data of EU residents are held, regardless of geographic location
- Makes law the need to have a formal Data Protection Officer for specific types of organizations, such as public authorities or ones that process sensitive personal information
- Penalties of up to 20 million euros or 4% of annual global revenue (whichever is greater), to make the potential costs of non-compliance costlier than the costs of compliance
Technology sector in the crosshairs
What will be the initial focus for the GDPR regulators?
According to Ensono Director of Information Security, Ben Banks, the technology sector will be increasingly in crosshairs. Even before the new GDPR takes effect, the EU’s strict data and privacy laws have taken a bite out of Facebook for privacy infractions with its WhatsApp acquisition.
In March, the offices of Cambridge Analytica were searched by the UK Information Commissioners Office with respect to potential data protection breaches related to data it obtained via Facebook and used for political analysis. Google was hit with a $2.7 billion antitrust penalty in June related to its shopping results.
GDPR and Brexit
The UK government has made strong commitments that post-Brexit, the UK will adopt the GDPR regulation into law to ensure that UK businesses that rely on EU residents’ data are not impacted. There is also the strong possibility that the UK will try to gain a formal adequacy judgement from the EU that establishes its post-Brexit data protection framework as equivalent to the EU’s. Such a judgement would ensure the uninterrupted, unhindered free flow of data for the UK and the EU.
What should organizations do to prepare for the new regulation?
Within our own company, we’ve been engaged in program of activities related to compliance to the GDPR for the last year. This program has specifically looked at both our activities as a data controller and as an infrastructure partner for our clients.
Our key areas of focus have been:
- Ensuring that we have the right provisions in place as they related to our place in the supply eco-system – both as procurers of services and a supplier
- Reviewing our products, platforms and services to make sure we continue to provide the highest levels of security for the information we hold on behalf of our clients
- Examining all the areas of the business where we use personal information and putting in steps to clarify the legal basis for such usage
- Updating our internal processes to support the key technology guiding principles
- Rolling out mandatory training to all associates so that they are fully aware of GDPR
Are you and your business partners properly equipped for GDPR? Stay in-the-know by subscribing to our blog for future hybrid IT insights around security and compliance.