General Data Protection Regulation (GDPR)
By May 2018 – at the latest – must begin the application of EU regulation 2016/679 on the personal data protection. This EU regulation aims to increase the security protection of personal data within the European Union and also regulates the rules of export and handling of personal data outside EU. This new regulation will affect all business entities that manage or process personal data. This means, for Czech companies, that they will have to adopt new technical and organizational measures to ensure that data processing is carried out in accordance with this regulation.
The most important GDPR requirements:
- G1. GDPR has global effectiveness
GDPR is valid for all organizations which manage or process personal information from EU citizens worldwide
- GDPR defines the scope of personal data
GDPR extends the scope of what is considered the personal data. GDPR broadens the definition of data protection to any data that could lead to identification of personal information of citizens. In practice this means that security measures must be implemented to all parts of corporate IS which in any way processed personal data. GDPR includes data concerning for example genetics, mental health, economic, cultural and social situation of citizens.
- GDPR tightens the rules for obtaining the consent for processing and usage of personal data
Companies and organizations must be able to provide citizen’s consent for the administration and processing of personal data. The passive citizen’s consent is no longer sufficient.
- Creation of “Data Protection Officer” role
GDPR requires that government bodies that process personal information name a person responsible for personal data protection. A similar position will also have to be created by those entities that regularly collect and process massive amounts of personal data or work with other specific data that show elements of personal information
- GDPR does not distinguish the size of organization
GDPR doesn’t take into consideration the size of the organization when implementing its requirements. The requirements must be applied to all companies equally irrespective of their size and number of employees.
- GDPR introduces mandatory PIA – Privacy Impact Assessment
GDPR calls for mandatory assessment of the impact on citizens’ privacy – privacy impact assessment (PIA). This requirement applies to the identification and evaluation of the impact of risks throughout the entire life cycle of processing and management of personal data. These impacts must be taken into account when developing programs or IS for processing of personal data.
- GDPR – providing the information regarding the data leakage
The organization must implement such measures that are capable to continuously monitor data integrity violations, or their leakage. Notification of an integrity violation or data leakage must be reported within 72 hours.
- GDPR – minimizing the time for holding data
GDPR introduces very strict requirements to minimize the time for which companies could store the personal data, meaning the personal data can’t be held longer than it is necessary. If there is a change in the purpose of personal data processing activities it is necessary to request a new consent from the citizen. This means, from the organizations’ perspective, that companies must implement processes and technologies that ensure anonymization or deletion of citizen’s personal data upon his/her request or after the specified period.
- GDPR extends the responsibility of the personal data custodian
The requirements newly apply not only to registered data custodians but to all service providers which are somehow involved in the processing of the personal data
- GDPR – design and development of IS
GDPR requires that personal data protection is already taken into account during the design and development of information systems. For example, anonymization and complete deletion of data are the requirements that have not yet been taken into account that often. In the future, every such information system will need to have capabilities to completely erase personal data.
- GDPR introduces the unified approach concept
Meaning, the principe of a unified approach to the personal data protection will be applied within the whole EU regardless of local regulations in the specific country.
The implementation of the security measure to meet the GDPR conditions will be quite complex. Given to the facts and conditions which were stated above it will be efficient to outsource the implementation to the professional consulting company. Versa Systems’ team of professionals will help YOU not only with the correct implementation (and thus meeting the requirements of the new regulation) but it will help YOU also with the design of new security controls that will ensure the consistent compliance with GDPR. Since the GDPR introduces stricter penalties for violation of the prescribed rules (up to 20 million euros or 4% of corporate’s total global annual turnover) it is unwise to delay the GDPR implementation.