Friday, April 15, 2016

EU Data Protection Law Is Passed: What You Need to Know Now

April 15, 2016 - (Eskenzi PR) - Yesterday, the European Parliament passed the final vote for the new General Data Protection Regulation (GDPR). These approved new data protection rules will strengthen online privacy, streamline legislation between the 28 member states and boost police and security cooperation. Notably, the regulation includes tougher penalties for companies in breach of EU data protection law, with fines of up to 4% of global turnover, and a requirement for companies to disclose personal data breaches within 72 hours.

Dr. William Priestley, systems engineer at Varonis, explains: /

"The GDPR replaces the ageing Data Protection Directive, to address contemporary data consumption paradigms such as: the internet, cloud hosting and big data analytics. Basically, it addresses a Digital Single Market where data is flowing increasingly without boundaries. It also expands the territorial reach of, and therefore protection by, EU Data Protection law to organizations outside of the EU but working with data of EU citizens.

It adopts the "Privacy by Design" school of thought, meaning it will:

• minimize the collection of personal data
• account for where personal data resides
• delete personal data that’s no longer necessary.
• restrict access to only those that need it.
• secure personal data through its entire lifecycle.

It also adopts, by design, accountability for the data, meaning organizations will need:

• to implement technical and organizational measures to properly process personal data; i.e., design comprehensive data governance policies and introduce technical methods to implement and enforce them
• in certain circumstances, to nominate a Data Protection Officer
• to provide clear documentation of process
• to conduct Data Protection impact assessments

GDPR legitimately recognizes Binding Corporate Rules, allowing intra-group international data transfers, and as such require strict data governance practices in place before approval for a BCR. In the GDPR, a data beach needs to be reported within 72 hours of awareness. Those affected also need to be informed. Infringements, such as data breaches, will result in fines of up to 4% of global revenue (not margin).

What Organizations Need to Start Doing Now in Preparation for the GDPR

GDPR won't come into force immediately, but is looking likely to be effective within 2018. Before then, organizations will need to have in place all the governance policies, incidence response plans and technical framework within which to affect compliance before then.

From an IT/digital perspective, these include:

o Prepare for Data Security Breaches and have an incident response plan. (Ideally detect and alert on data breach activity and prevent it. In the event of a breach, be able to provide forensic analysis of what data was affected by the breach and when it occurred and provide this information to the Data Protection Authorities and affected individuals accordingly)
o Establish a framework for accountability within the business (who owns the data, who are the data processors, train staff down the reporting line to understand their obligations etc).
o Embrace privacy by design in the business culture (restrict access to data, track the data's lifecycle activity, retire the data when it is no longer needed)."