In this digitally connected world the need for proper use, management and optimisation of data has never been greater. Data issues have been all too common news items over the past few months and tech companies are now firmly under the spotlight.
Against this backdrop, the EU has approved the highly anticipated General Data Protection Regulation (GDPR) to take account of the rapid increase in the use of data and how our behaviour towards personal data usage has changed since the launch of the last EU Directive in 1995.
The sheer scale of the wide ranging new requirements is compounded by a hard deadline of 25 May 2018 to ensure full compliance with the new regulations. Add to that the cost of non-compliance which could result in penalties of up to €20 million, or four percent of worldwide turnover (whichever is highest), and it is clear that tech companies not only need to fully understand the requirements of the GDPR but also prepare well in advance of 2018.
So what are the changes expected under the new regulation?
There are around a dozen headline changes which technology companies should be aware of. Some of the key areas include:
How we can help
- Privacy by design – privacy by design calls for the inclusion of data protection from the onset of the designing of systems. Companies must also only hold and process data which is absolutely necessary.
- Data processors – those who process data on behalf of data controllers, including cloud-providers, data centres and processers. Liability will extend to these and businesses that collect and use personal data.
- Data protection officers – internal record keeping and a data protection officer (DPO) will be introduced as a requirement for large scale monitoring of data. Their position involves expert knowledge of data protection laws and practices, and they will be required to directly report to the highest level of management.
- Consent – explicit permission to hold any personal data in electronic systems will become mandatory. It will no longer be possible to rely on implied consent with individuals having the option to opt-out.
- Breach notifications – the notification of a breach, where there is a risk that the rights and freedoms of individuals could become compromised, must be reported within 72 hours of the breach being identified.
- Right to access – data subjects will now have the right to obtain confirmation from you of what personal data is held concerning them, how is it being processed, where and for what purpose.
- Right to be forgotten – data subjects will now have the right to be forgotten which entitles the data subject to have you ensure that information is deleted from every piece of IT equipment, portable device and from server back-ups and cloud facilities.
There are a number of aspects to the GDPR that will take considerable time to achieve and all organisations should be looking at these now. This draws on a range of governance, risk and assurance capabilities as well as in-depth technical and data protection skills. Our team of Technology Regulation experts can support you to:
- Educate your senior management and employees on the changes that the GDPR will bring and ensure that they are fully aware of these and how these changes will affect the organisation.
- Architect your risk, policy and procedure environments to help you ensure your business operates effectively in line with the GDPR regulation requirements.
- Assure the processes you have in place around GDPR giving you independent and timely information on the state of your data management in relation to GDPR regulation requirements.
- Manage your GDPR requirements and objectives, making sure you blend education, architecture and assurance in a way that is appropriate to your operation.
If you would like further information on the above or find out about our services, please contact Steve Williams