First and foremost it’s important to say that GDPR (General Data Protection Regulation) is an issue for the legal and compliance teams within an organisation, and not directly an IT issue – they must then instruct IT with regard to any specific requirements. Let’s take a quick look at what it’s all about:
Organisations must perform a Privacy Impact Assessment, and implement the principles of Privacy by Design and Minimisation of Data. The result will be that users have rights over their data1 and they must give their consent (which they can withdraw at any time) to:
- Store it – they have the right to request that it is erased if there is no legitimate reason to keep it
- Use it – there must be a legitimate reason why you are processing it and there must be safeguards against a potentially damaging decision being taken without human intervention
Only the minimum amount of data necessary for the specified use case should be collected and the data should only be kept for the minimum duration. In addition there are restrictions on the transfer of data outside the EU in order to ensure that the level of protection afforded by the GDPR is not undermined.
Organisations must perform a Security Assessment with regard to personal data and implement security best practices to minimise the chance of a data breach2 . If a breach occurs that could have a negative impact on an individual, the organisation must notify them (so they can minimise damage) and the authorities.
Penalties can be up to 4% of global annual turn-over or 20 million euros (whichever is higher) for each breach or for non-compliance.
So in essence it is very simple, make sure that privacy and security are at the heart of your data collection and processing activities and be very aware that if you get these wrong the financial and reputational impact to your organisation could be huge.
- Applies to any personal data stored on EU citizens and it comes into force 25 May 2018 – personal data is any information relating to an individual, whether it relates to his or her private, professional or public life – it can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address
- A data breach is a security incident in which data is hosted in an unauthorised environment or copied, transmitted, viewed, stolen or used by an individual unauthorised to do so
In part 2 I will take a look at what the impact will be to an organisation’s Processes and Procedures.