EU General Data Protection Regulation

EU General Data Protection Rules

On the 4th May 2016 the new EU data protection rules were published in the Official Journal of the EU. The new rules take the form of General Data Protection Regulation (GDPR), a regulation that will be directly applicable across all 28 EU member states and will modernize and unify data protection laws across the region. Following the one-stop-shop principle, businesses will only have to deal with one single supervisory authority.

Significantly, businesses that are found to be in breach of the GDPR may be liable to pay penalties of up to 4% of their total worldwide turnover, indicating that the EU intends data protection to become a board-level issue.

The GDPR will also introduce new data protection requirements. For example, businesses will be required to:

  • Implement strict technical and organisational security measures, including pseudonymisation and data encryption
  • Notify data breaches to the relevant data protection authority/authorities within 72 hours. In certain circumstances the breach will also have to be notified to the affected data subjects
  • Appoint a data protection officer in certain circumstances (eg. for companies processing sensitive data on a large scale or for those that collect consumer information)
  • Conduct privacy impact assessments before carrying out high-risk data processing; and
  • Build in privacy by design when processing personal data.

Unlike the current EU data protection rules, many of the new rules will also apply to data processors (eg. an external payroll services provider processing data for an employer).

GDPR is now active and the new rules will apply as from 25 May 2018 only. That leaves businesses with around 2 years to bring their processing activities in line with the new data protection rules.

According to recital 134 to the GDPR "processing already under way on the date of application of this Regulation should be brought into conformity with this Regulation within the period of two years after which this Regulation enters into force."

We therefore recommend businesses to start preparing for the GDPR now.

Key Information

What is GDPR? 

General Data Protection Regulation

When does it start to be enforced?

5th May 2018

Who does it apply to?

Anyone with 250+ employees or 5000+ records

 

GDPR is applicable to any organisation who holds data on EU citizens, regardless of where you are based.

What are the fines?

Up to 4% of global annual turnover or up to 20 million

What should I do in the event of a breach?

Activate your Incident Report Programme

 

Report any incidents to the supervisory authority and any affected individuals (e.g., customers) within 72 hours

 

If appropriate technical and organisation protection measures are in place (such as encryption) notification to the data subject may not be required

How Sec-1 Ltd can help you

There some crucial steps that you should take right now, if you've not already started. The Information Commissioner's Office has published a "12 steps to take now" document that outlines key actions you should be undertaking. Everyone underestimates the challenges associated with compliance to any standard not least because of the level of detail involved but most commonly because of the lack of confidence in the interpretation of what the standard requires of you. This is where we excel. We have technical experts that clearly understand the requirements of GDPR. We know what questions to ask, we understand how companies use data so know where to look, we understand how hackers exploit vulnerabilities so we know what to do to protect systems. All of this combined will almost certainly save you time and money but will likely save you the anxiety of working it out on your own.

Awareness covers many aspects of GDPR however at the front-end of completing this checklist its about raising awareness in the business that the law is changing and about understanding what information you hold.

Our services cover:

Data Discovery

We can identify where your Personally Identifiable Information (PII) is and produce an information audit. This audit clearly defines your data in terms of:

  • Where it is
  • Who has access to it
  • Where it goes

Technical Audit & Gap Analysis

We review the existing security controls of your organisation to establish how well protected the PII is. A gap analysis is then performed to work out what weaknesses exist and recommendations are made for their removal.
Gap analysis results in a document that allows you to prioritise the next actions you need to take and puts them in order of importance. Any decisions that need making to mature your level of preparation will be based on sound investigation and will prevent wasted investment in time and money.

Technical Enforcement and Security Controls

Everyone has heard that "security should not be a point in time" but that a good strategy serves to protect the organisation and data subjects on a perpetual basis. Managing and maintaining practices that remain within the bounds of the GDPR requires a security infrastructure that can monitor and control the use an movement of data, identify the users who are using the data, restrict access to only those users who need to access the data, and to render the data unintelligible in the event that it is access by an unauthorised user.

Each of these requirements can be fulfilled by implementing technical controls such as:

  • Logging and Monitoring and Security Analytics
  • Encryption and Endpoint Security
  • Strong or Two Factor Authentication
  • Identify and Access Management Solutions
  • Penetration Testing and Vulnerability Management
  • Data Monitoring and Data/Document Classification
  • User awareness training

Through the Gap Analysis you will receive a measured assessment in each of these areas plus we will make recommendations about solution that will solve your problems.

 

This blog was written for Gemalto by Tom De Cordier and appeared on the Gemalto blog site http://blog.gemalto.com/

Sec-1 Ltd is a Gemalto Gold Partner, and is a preferred technology partner for data encryption, key management and user access security.

 

Request callback Make an enquiry

'Following (our) initial meeting Sec-1 was requested to provide a Penetration Test for the Halcrow Group. The standard of report received has resulted in Sec-1 being the provider of choice for Penetration and Application Testing for the Halcrow Group and are retained for the foreseeable future.'

David Grant
Halcrow Group