The new General Data Protection Regulations (GDPR) were agreed in Brussels in 2015 and will apply from 25th May 2018 and will apply to any organisations handling the personal data of European residents. Although 2018 seems to be a long way off it does contain a number of very onerous obligations which will take a long time to fulfill and therefore organisations should start their preparation now.
But what about Brexit I hear you say. Well it will still apply if your organization deals with the data of EU residents, whether the UK leaves the EU or not.
Once GDPR has kicked in the current Data Protection Directive 95/46/EC will be repealed and organisations that fail to abide by the requirements of GDPR will face very tough penalties, which could have an impact on the very survival of the organisation itself. Typical penalties are likely to be up to 4% of turnover, so a considerable sum.
There are a number of obligations required to be implemented over the intervening period and in some cases organisations may find it more beneficial to work towards attainment of the ISO 27001 standard for Information Security Management, which will satisfy the requirements of GDPR.
The key changes of GDPR that will impact an organisations Information Technology department are:
- Organisations must prepare in advance for a data security breach and this is particularly necessary to combat cyber-crime which it seems is constantly in the media at present. There should be clear policies and procedures to demonstrate preparation for dealing with any data breach.
- The GDPR requires that organisations adhere to strict data breach notification requirements to inform the data protection authority within 72hrs of becoming aware of the breach unless this is unlikely to be a risk to the individual data subjects concerned. If the data breach is high-risk then the data subjects must be informed however the GDPR does not provide timescales for this requirement.
- Organisations must develop a framework that ensures clear accountability with clear transparent policies and forms that must be simple to understand and demonstrate clear affirmative consent for processing data.
- There must also be an inbuilt culture of review and continual improvement to ensure policies and procedures are being met within the organization and especially around the length of time that personal data is held.
- Privacy impact assessments (PIAs) will have to be prepared as a result of GDPR and should be at the heart of taking a privacy by design approach, which should be embraced. PIAs are mandatory for organisations with processes that are likely to results in a high risk to the rights of the data subjects. This in the long run is of benefit to the organization and will likely save costs and reputational risk.
- A risk assessment should be undertaken if an organization is seeking to transfer personal data to countries recognized as having poor or inadequate data protection legislation. There must a good legitimate business case in place before the transfer is completed.
- Parental consent will be necessary before the personal data of children under the age of 16 is processed and such consent must be clear, transparent and show details of how such consent was obtained.
This is clearly a complex area for an organisation to deal with and we have no doubt that the impacts on some organisations will be considerable however with so much personal data being held within large organisations and the power of the media and potential reputational damage, should there be a breach, it is clear that this has to be a high priority for the facilities management team.