What Businesses Need to Know About the General Data Protection Regulation (GDPR)
June 14, 2016
The General Data Protection Regulation (GDPR) has been agreed to by the European Commission, Parliament, and Council, in order to offer European-wide data protection for personal and corporate information across the European Union (EU). The regulation will formally come into place in May of 2018 but enterprises should proactively prepare to meet the requirements of this new directive.
What every organisation needs to know about the General Data Protection Regulation:
- The goal is uniformity – The regulation applies to all countries across Europe as well as any international firm collecting, storing, sharing or processing data on citizens of the EU, no matter where the firm is located or where the data is stored.
- The employment of a Data Protection Officer (DPO) – Firms with over 250 employees or that process information on more than 5000 individuals within a twelve-month period, must have an individual dedicated to the responsibility of protecting the data processed. Smaller firms only need to employ someone in this role if handling personal data is pivotal to their operations. The DPO will require expert knowledge and can be employed full-time or under a service contract. (Note: the difference between a Data Protection Officer and a Compliance Officer is that the DPO is directly responsible for data security and processes for handling data security.)
- Data Protection Impact Assessments – For high risk situations including, but not limited to, information about health, public video surveillance, and information involving genetic or biometric data, data protection impact assessments will need to be completed.
- Rapid Breach Notification – The GDPR requires firms to notify data protection authorities of any data loss incident as soon as possible; suggesting within 24 hours when feasible, but at maximum within 72 hours of its discovery unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. Records must be kept of all breaches that the authorities are not notified about. When a breach may impact the rights and freedoms of individuals, those individuals must be notified as soon as possible.
When the General Data Protection Regulation is formally released in May 2018, a Network and Information Security Directive is also expected to come into effect, requiring providers of essential services to notify the relevant authorities of any security incidents they suffer. Full details on this directive are not readily available however all enterprises should be prepared with the appropriate technology and processes to prevent, detect, contain and report on these incidents.
In order to prepare for the GDPR’s implementation, Herjavec Group recommends enterprises should:
- Consider data protection and privacy at the onset of the security planning process
- Perform a Network Security Assessment and Gap Analysis to reassess the effectiveness of the security controls in place, particularly when it comes to storing, processing or transmitting data
- Prepare a security framework and an emergency preparedness plan, identifying clear policies and procedures to follow for all elements of data handling, information security & incident response
- Develop a timeline for regular assessments and reporting reviews for all systems to ensure the technical and organisational effectiveness of your security posture
- Evaluate the use of encryption tools in order to secure access rights and ensure the confidentiality & authenticity of digital data
- Invest in a Security Information and Event Management (SIEM) system and consider third-party Managed Services support in order to streamline data logging, correlation & security intelligence gathering
The GDPR is a proactive reminder that all enterprises, no matter their location, should proactively assess their security postures in terms of their visibility, controls and scope. This regulation is not about striving for perfection. It’s an important step forward to improve security, achieve compliance and identify emerging threats in real time.
If you would like more information on Herjavec Group’s UK operation including our Consulting, Professional Services, Managed Services and Incident Response practices, please contact us.
[contact-form-7 404 "Not Found"]
- Allen & Overy (2016): The EU General Data Protection Regulation is finally agreed, available from: http://www.allenovery.com/SiteCollectionDocuments/Radical%20changes%20to%20European%20data%20protection%20legislation.pdf
- Bloor Research (2016): For the EU’s New Data Protection Regulation, Encryption Should be the Default Option, available from: http://enterprise-encryption.vormetric.com/Bloor-Research-EUs-new-data-protection-regulation.html
About Herjavec Group
Dynamic IT entrepreneur Robert Herjavec founded Herjavec Group in 2003 to provide cybersecurity solutions and services to enterprise organizations. Herjavec Group delivers SOC 2 Type 2 certified managed security services globally supported by a state-of-the-art, PCI compliant, Security Operations Centre (SOC), operated 24/7/365 by certified security professionals. This expertise is coupled with leadership positions across a wide range of functions including consulting, professional services & incident response. Herjavec Group has offices globally including head offices in Toronto (Canada), New York City (USA), Reading (United Kingdom) and Sydney (Australia). For more information, visit www.herjavecgroup.com.