View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Policy
March 9, 2018

GDPR: The Clock’s Ticking, Confusion Reigns; We’re Here to Help

Three quarters of respondents say government explanations inadequate, new survey shows. Here’s CBR Online’s handy GDPR refresher.

By April Slattery

With just 11 weeks to go until the EU’s General Data Protection Regulation (GDPR) becomes law, many IT decision makers at the coalface remain worried.

Research released today by cybersecurity giant Bitdefender, for example, finds that 74% of C-suite IT players believe government explanations of how to prepare have been inadequate.

A reminder: GDPR was designed, in the EU’s words, “to harmonize data privacy laws, to protect and empower all EU citizens’ data privacy and to reshape the way organizations… approach data privacy.”

Get implementation wrong and you face fines from the Information Commissioner’s Office of up to €20 million (£17.8 million), or 4% of group worldwide turnover; whichever is greater.

As Bitdefender puts it in a release today: “IT decision makers are playing a game of chance with compliance. Despite the known risks of non-compliance, 83% of CSOs and 51% of Chief Information Security Officers (CISOs) say that they would be tempted to risk non-compliance to offset a complex implementation process.”

Here’s a reminder of some of the primary new rights and requirements under the GDPR.

Breach Notification

Under the GDPR, breach notification is mandatory where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours. Companies must ensure they have robust breach detection, investigation and reporting procedures in place.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Right to Access

People can now ask data controllers for confirmation whether personal data about them is being processed, where and for what purpose. Controllers must provide a copy of the personal data, free of charge, in an electronic format, when asked. How fast? “Without delay” and at the latest within one month of receipt.

Right to be Forgotten

In short, people can ask for their data to be deleted. This right is not absolute, however. Some examples of when it can be requested include:

  • When personal data is no longer necessary for the purpose for which it was collected.
  • When the individual withdraws consent.
  • When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing.

Data Portability

This allows individuals to obtain and reuse their personal data across different services; moving, copying or transferring personal data easily from one IT environment to another in a safe and secure way. Compliance means providing the personal data in a structured, commonly used and machine-readable form, for example a CSV file.

Privacy by Design

Privacy by design as a concept has existed for years. It is now becoming a legal requirement. Article 25 codifies the concepts of “privacy by design” and “privacy by default”, but takes a flexible approach to implementation. One company’s “flexible”, of course, is another’s “utterly confusing”. Conducting regular Privacy Impact Assessments (PIAs) can be one way to ensure clarity. The Information Commissioner’s Office provides a PIA code of practice [pdf].

Data Protection Officers

The EU itself describes current rules as a “bureaucratic nightmare”, with most Member States having different requirements under their own Data Protection Acts. GDPR aims to clear this up. Its rules require you to appoint a data protection officer, if you:

  • Are a public authority (except for courts acting in their judicial capacity);
  • Carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or
  • Carry out large scale processing of special categories of data or data relating to criminal convictions and offences.

For the full GDPR here, click here.

With (as we go to press) 76 days, 12 hours and 45 minutes until the it goes live, there’s still time to roll up your sleeves

Topics in this article : , ,
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.