If you need HELP, SUPPORT or just have a GDPR question please call +44 (0) 208 133 2545 or email us at firstname.lastname@example.org.
Alternatively please visit our contact page
FREE GDPR Helpline
Call +44 (0) 208 133 2545
The European Parliament’s official publication of the General Data Protection Regulation means it will become enforceable on 25 May 2018
The European Union’s General Data Protection Regulation (GDPR) comes into effect on 25 May 2018 now that the new rules have been published.
The European Parliament’s publication of the regulation in the Official Journal of the European Union means it will become law on 25 May 2016, giving organisations 24 months to become compliant.
The GDPR will introduce new accountability obligations, stronger rights and restrictions on international data flows.
Against a backdrop of radical technological advances and the Snowden revelations, the new framework is ambitious, complex and strict. It presents any organisation that has so far failed to begin preparations with a steep challenge to become compliant in time.
“The countdown has begun. Businesses operating in Europe or targeting European customers have two years to get their act together and prepare for the new regime,” said Eduardo Ustaran, European head of privacy and cyber security at law firm Hogan Lovells.
“At stake are not only the consequences of non-compliance, but the ability to take advantage of the opportunities presented by new technologies, data analytics and the immense value of personal information.
“From determining when European law applies to devising a workable co-operation strategy with national regulators, there are many intricate novelties to understand and address,” he said.
To help organisations with the challenge, Hogan Lovells has published a guide entitled Future-proofing Privacy. It has been co-authored by 24 lawyers from 10 European Hogan Lovells offices.
The law firm said the guide is aimed at providing practical pointers to help organisations and individuals understand the new rules, identify how they impact on their own business, and comply with them in a practical and viable manner.
Christine Andrews, managing director at data governance, audit and consultancy firm DQM GRC, said “keep calm and carry on” seems a ﬁtting theme for the published regulation.
However, she said this is only the case if you’re one of the organisations already valuing customers’ data.
“Unfortunately, for too long, some organisations have presumed consent, worked with implied permission, and experienced data losses that have taken months to detect and report. In some cases, such as TalkTalk, [organisations] have been unable to properly classify what personal data has been compromised.
“No CEO wants to look as ill-informed as poor Dido Harding, and customers have an absolute right to expect better,” she said.
According to Andrews, there are a few steps organisations can take to begin preparing for the new legislation immediately.
“First, organisations need to evaluate the personal data they have; categorising the data so they are clear where the personal and sensitive data resides and where other less important data sits in the company,” she said.
Usually, said Andrews, drafting a data ﬂow map will help businesses to understand the pattern of data through the company, provide clarity on who has “eyes on” the data, what skills these people have and, ﬁnally, highlight where the data ends up.
“Once organisations understand just what personal data they have, they should then ensure that regular risk assessments are completed to understand the degree of threat imposed on the company when processing data.
“Indeed, the GDPR demands a risk-based approach with the development of appropriate controls. This should, in a single stroke, ensure that management recognise the dangers associated with the loss, misuse, theft or any other compromise of customer data,” she said.
For organisations that pass data onto third parties, Andrews said there is often a tendency to presume that they must operate to high standards of data security and protection. However, the GDPR now states that controllers must only engage with processors who can provide “sufficient guarantees”.
“Basically, as the data owner, you must check they have effective “technical and organisational measures to ensure the security of the processing,” she said.
The GDPR also introduces the need for organisations to prepare a breach notiﬁcation plan in the event that something does actually go wrong.
“If you’re already clear on what type of personal data you manage (categorisation) and where it is (data ﬂows), then this process will be somewhat easier,” said Andrews.
“However, it’s worth being clear on who will co-ordinate the customer communication, the media response and the remedial activity – and make sure you rehearse this so you are practiced in the actual event. Consider it a data breach fire drill.”
Although organisations have a two-year deadline to become compliment with the new legislation, it is vital to remember that two years can pass quickly, she said. For many organisations, a significant amount of time and financial investment will be required, she added.
Article originally published here.