What is GDPR?
GDPR stands for General Data Protection Regulation (GDPR) and is part of Article 8 of the European Convention on Human Rights. It is currently a draft regulation, due to come into effect in early 2015, designed to unify and simplify data protection across the 28 member countries of the European Union (EU).
The GDPR includes a strict data protection compliance regime with severe penalties of up to 100M euros or up to five percent of worldwide turnover for organisations in breach of its rules.
The proposal for the GDPR was released in January 2012 and the EU is said to be planning for adoption over the coming few months. It is not yet final.
What problem is it designed to address?
The regulation is designed to address blurred lines around the protection of personal data. It is expected to address globalisation and developments in how we use, share and store data. For instance, it will tackle data protection in relation to social networks and cloud computing, including secure file transfer and the right to be forgotten.
The draft GDPR is very specific that personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information or a computer’s IP address. There may be an exception for employee data, which could be subject to individual country regulations.
How are organisations currently reporting data breaches? Does it vary by country?
Each country currently has its own Data Protection authority. In the UK it is the Information Commissioner’s Office (ICO). Because the current GDPR draft is a regulation rather than a directive, it means it will directly apply to all EU member states without any national changes in legislation. There will be one Single Data Protection Authority (DPA) responsible for each company depending on where the Company is based.
The GDPR will have a significant impact on non-European companies that operate in the EU. The GDPR will make the law apply to non-European companies that trade in the EU as well as to European companies, reflecting that in today’s age, business has become borderless.
Why is more regulation needed?
There have not been any major changes to data protection law since 1995. The world we live and work in has changed significantly since then and new regulation is needed to ensure that personal data is kept safe and treated consistently across all EU countries.
How can GDPR help?
The development of public, private, government and hybrid cloud computing services has complicated data storage and processing over the last twenty years. The GDPR will help by clarifying the responsibilities of organisations relating to the data they handle and store, thus making it easier for both European and non-European companies to comply and avoid penalties.
What impact will this have on organisations?
If the draft is implemented in its current form, organisations will need to consider if and how they change the way they collect, process and store data.
The Association for Information and Image Management (AIIM) lays out the changes that organisations will need to abide by in its report entitled Making sense of European Data Protection Regulations. There are eleven key areas outlined that range from gaining consent to collect data to fully documenting any breach.
Are organisations prepared for the roll-out?
It seems that few are indeed ready. According to a recent Ipswitch survey of 316 European organisations, more than half (56 percent) of respondents could not accurately identify what ‘GDPR’ means. Over half of respondents (52%) admitted they were not ready for GDPR, and over a third (35%) confessed to not knowing whether their IT policies and process were up to the job. Only 14 percent of respondents could correctly identify that the GDPR is due to come into effect in late 2014/early 2015.
Despite the lack of awareness of regulatory change, when asked about priorities for 2015, only 13 percent said they planned to spend more time understanding and preparing for regulation. A quarter (26%) said they wanted to spend more time reviewing and tightening security policies and a further quarter (26%) said they wanted to be able to spend less time on manual reporting and auditing.
In addition to testing the readiness of IT professionals, the survey also revealed that very little thought has been given to whether an organisation’s Cloud Service Provider (CSP) is ready for the change. Although 79 percent of those surveyed retained the services of a CSP, only six percent of them said that they had thought to ask them whether they were ready for the GDPR.
What can organisations do to ensure they meet these new regulations?
GDPR includes an obligation to protect personal data across the borderless enterprise. IT professionals should review and bolster their data processing policies and practices now, before the regulation comes into effect.
There are practical steps that can be taken now to ensure that policies, procedures and technologies run by organisations are up to the job of complying with the GDPR. Contracts with data processors and Cloud Service Providers need to be reviewed. Set out to know exactly where your cloud data is hosted and understand how it is backed up and encrypted. Begin to set up procedures now to start securing explicit consent for the collection and processing of personal data.
Once confident in their systems and procedures, organisations will be able to apply for an EU Data Protection Seal which will be a five year certification of their processes.