With just 11 weeks to go until the EU’s General Data Protection Regulation (GDPR) becomes law, many IT decision makers at the coalface remain worried.
Research released today by cybersecurity giant Bitdefender, for example, finds that 74% of C-suite IT players believe government explanations of how to prepare have been inadequate.
A reminder: GDPR was designed, in the EU’s words, “to harmonize data privacy laws, to protect and empower all EU citizens’ data privacy and to reshape the way organizations… approach data privacy.”
Get implementation wrong and you face fines from the Information Commissioner’s Office of up to €20 million (£17.8 million), or 4% of group worldwide turnover; whichever is greater.
As Bitdefender puts it in a release today: “IT decision makers are playing a game of chance with compliance. Despite the known risks of non-compliance, 83% of CSOs and 51% of Chief Information Security Officers (CISOs) say that they would be tempted to risk non-compliance to offset a complex implementation process.”
Here’s a reminder of some of the primary new rights and requirements under the GDPR.
Under the GDPR, breach notification is mandatory where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours. Companies must ensure they have robust breach detection, investigation and reporting procedures in place.
Right to Access
People can now ask data controllers for confirmation whether personal data about them is being processed, where and for what purpose. Controllers must provide a copy of the personal data, free of charge, in an electronic format, when asked. How fast? “Without delay” and at the latest within one month of receipt.
Right to be Forgotten
In short, people can ask for their data to be deleted. This right is not absolute, however. Some examples of when it can be requested include:
- When personal data is no longer necessary for the purpose for which it was collected.
- When the individual withdraws consent.
- When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing.
This allows individuals to obtain and reuse their personal data across different services; moving, copying or transferring personal data easily from one IT environment to another in a safe and secure way. Compliance means providing the personal data in a structured, commonly used and machine-readable form, for example a CSV file.
Privacy by Design
Privacy by design as a concept has existed for years. It is now becoming a legal requirement. Article 25 codifies the concepts of “privacy by design” and “privacy by default”, but takes a flexible approach to implementation. One company’s “flexible”, of course, is another’s “utterly confusing”. Conducting regular Privacy Impact Assessments (PIAs) can be one way to ensure clarity. The Information Commissioner’s Office provides a PIA code of practice [pdf].
Data Protection Officers
The EU itself describes current rules as a “bureaucratic nightmare”, with most Member States having different requirements under their own Data Protection Acts. GDPR aims to clear this up. Its rules require you to appoint a data protection officer, if you:
- Are a public authority (except for courts acting in their judicial capacity);
- Carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or
- Carry out large scale processing of special categories of data or data relating to criminal convictions and offences.
For the full GDPR here, click here.
With (as we go to press) 76 days, 12 hours and 45 minutes until the it goes live, there’s still time to roll up your sleeves…