The General Data Protection Regulation (GDPR) is anticipated to take effect in May 2018. Will you be ready?
As a comprehensive reform of the EU’s 1995 data protection regulation, GDPR is being developed to strengthen and unify online privacy rights and data protection for individuals within the EU. It’s also intended to streamline the data protection obligations of businesses serving EU citizens by replacing 28 different national laws with a single regulation. Even when the UK is no longer a part of the EU following Brexit, if you are responsible for handling the data of EU citizens, you must still adhere to GDPR regulations. The consequences for failing to meet any of the requirements is up to 4 per cent of global annual turnover.
What do you need to know about protecting the sensitive data in your care? Below are four basic data rights GDPR grants to EU citizens:
Individuals have the right to request that personal data be deleted or removed under certain circumstances. To carry out these requests, be aware of where all your data is stored. If you store your data in the cloud or in a third-party colocation facility, the provider must be able to tell you all locations the data resides (including the data centres used by cloud services). When an individual exercises their right to erasure, the provider must be able to offer a written confirmation of the applicable records’ destruction.
You must be able to grant access to individuals’ data in a “structured, commonly used, machine-readable and interoperable format”. This right is intended to allow individuals to easily transfer their data to another controller, and it’s your responsibility to accommodate these requests. Again, this requires knowing where all the data in your care resides.
To mitigate the likelihood of data breaches and malware infections, implement multiple layers of protection ‒ including reputable anti-virus and intrusion detection software and network monitoring ‒ have a policy to restrict access to data and don’t open unknown attachments. If your network is breached, having audit logs will be essential to determining where the hacker has gone on your network so you can determine what data has been breached and send out the appropriate notifications. This process must happen quickly, as GDPR requires breach notification within 72 hours of discovering the breach.
Data protection by design and default
GDPR requires that data protection safeguards be integrated into products and services from the earliest stage of development. Privacy should always be the default. When allowing a third party to handle the data in your care, ensure they prioritise security through protocol such as:
- Data encryption in transit and at rest
- Secure remote access to data
- Destruction of data records upon request
- Service level agreement that guarantees the provider’s ability to quickly restore data when needed
- 24/7/365 data centre monitoring
- Employee background checks
- Compliance with BCI standards
- Layers of cybersecurity protection, including intrusion detection and prevention, port scanning and protocol inspection, and perimeter anti-virus/malware blocking
Ensuring these safeguards are in place will help protect the data in your care and minimise the likelihood of a data breach.
To read the final GDPR text in its entirety, click here to download the PDF.
The above article is intended for guidance only and any reliance upon the contents is at your own risk.