There is more personal data in cyberspace than ever before. Protecting data from cyber criminals, who use more sophisticated methods every day is a huge challenge. As personal data becomes an ever more valuable commodity regulations are becoming tighter. The General Data Protection Regulation is designed to harmonize data privacy laws across Europe, to ensure privacy protection to all EU citizens and, to reshape the way organizations across the region will approach fraud, cybersecurity and data privacy. The GDPR will touch all parts of the organization so it is crucial for everyone, not only CEOs, CIOs and CMOs, to understand the fundamentals. What is the GDPR, why is it important, and what does noncompliance mean for organizations?
GDPR is an EU regulation for the protection of personal data
The General Data Protection Regulation (GDPR) is a new EU Regulation related to the protection and free movement of personal data. It was approved by the EU Parliament in April 2016 and will come into force on May 25th 2018. The GDPR, considered to be “the most important change in data privacy regulation in 20 years,” requires a very systematic and comprehensive management of IT security. CIOs should be one of the first advocates, creating awareness and alignment roadmaps. It calls for better data privacy protection management, reporting and accountability mechanisms, including a requirement to notify data breaches. It also require organizations to map data flows and conduct data protection impact assessments. The GDPR provides enhanced rights for individuals and increased scrutiny by regulators. Non-compliance may lead to substantial fines.
The GDPR protects all EU citizens in an increasingly data-driven world
We live in a face-paced world, vastly different from the time in which the 1995 directive was established. Although the key principles of data privacy still hold true to the previous directive, the GDPR proposes some law changes to boost cybersecurity and strengthen privacy protection for all EU citizens. Let’s walk through some key facts about the GDPR.
The GDPR will require organizations to change the way they capture, manage and store information and, in order to meet set regulations, many will need to completely overhaul legacy systems and current practices. Although the key points of data privacy from the pervious directive are still relevant today many changes have been proposed to cover modern threats to data privacy. Many organizations will be required to have a Data Protection Officer (DPO) with a fundamental understanding of the processes and the classification of data. A DPO is an expert on data privacy who works independently to ensure that an entity is adhering to the policies and procedures set forth in the GDPR.
Will your organization need a DPO?
Appointment of a Data Protection Officer will be mandatory only for those controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences. GDPR will change the way personal data is gathered and handled. A data subject’s consent to use their personal data will need to be given by a clear affirmative action. The consent will need to be clear and distinguishable from other matters, presented in an intelligible and easily accessible form, using clear and plain language. What’s more, withdraw of consent will need to be as simple as giving it.
The “right to be forgotten” will soon be a reality
Data subject rights will also become more transparent. If data breaches occur, organizations will be required to notify the authorities within 72 hours and to communicate the breach to the data subjects. Data subjects will be able to receive a confirmation from the data controller, free of charge, in an electronic format, whether or not personal data concerning them is being processed, where and for what purpose. They will also have the “right to be forgotten,” to have their personal data erased, the dissemination of their data stopped, and potentially halt the processing of their data by third parties as well. GDPR will introduce data portability - the right for a data subject to receive the personal data concerning them, which they have previously provided in a “commonly use and machine readable format' and have the right to transmit that data to another controller. Privacy by design is as a concept that has existed for years now, but it will soon become part of a legal requirement with the GDPR. At its core, privacy by design will require the inclusion of data protection during the design stage of systems, no longer treating data protection as an add on. These changes are a dramatic shift to data transparency and empowerment of data subjects.
Non-compliance will result in heavy fines and damaged reputations
Today’s face-paced world calls for more strict cybersecurity regulations and better, faster defense against fraudulent activities. The GDPR requires a very serious and professional management of IT security, making it crucial for CIOs to have a fundamental grasp of its scope and be the first advocate of it. It is based on risk analysis and implies the usage of security best practices and security measures. This requires data protection management, reporting and accountability requirements, including a requirement to notify data breaches, map data flows and conduct data protection impact assessments. Violation of the GDPR may lead up to 4 percent of the total worldwide annual turnover or 20 million euro – whichever is higher. It is high time for all organizations to get started. Is your organization prepared or will you be paying the heavy fines?
Capgemini and Oracle work with organizations from all industries across the globe. Together, we have a deep understanding of the GDPR and associated business issues and technology solutions. Our portfolio for assessment, development of a strategic plan, data protection impact assessment and technology will help you get ready for the GDPR. Read more about GDPR on Capgemini Cybersec Services and Solutions and find further resources about De-identification of Personal Data from NIST and Data Protection Act (DPA) and EU GDPR Penalties by it governance.
(About the author: Christer Jansson is a principal consultant with Capgemini. This post originally appeared on his Capgemini blog, which can be viewed here)
Register or login for access to this item and much more
All Information Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access