From 25 May 2018, the EU General Data Protection Regulation (GDPR) will affect every organisation that processes EU residents’ personally identifiable information (PII). The information below provides a breakdown of the key provisions introduced by the new law, which every organisation must be aware of.
The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.
With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations, and to individuals. The ICO’s role has always involved working closely with regulators in other countries, and that will continue to be the case. Having clear laws with safeguards in place is more important than ever given the growing digital economy, and we will work with government to stay at the centre of these conversations about the long-term future of UK data protection law and to provide our advice and counsel where appropriate.
About the GDPR
First proposed in January 2012 by the European Commission and formally approved by the European Parliament in April 2016, the GDPR will supersede national laws such as the UK DPA, unifying data protection and easing the flow of personal data across the 28 EU member states.
The Key changes introduced by the Regulation
If your business is not in the EU, you will still have to comply with the Regulation
Non-EU organisations that do business in the EU with EU data subjects’ personal data should prepare to comply with the Regulation. Those providing products or services to EU customers or processing their data may have to face the long arm of the law if an incident is reported.
The appointment of data protection officer (DPO) will be mandatory for certain companies
Article 35 of the GDPR states that data protection officers must be appointed for all public authorities. In addition, a DPO will be required where the core activities of the controller or the processor involve “regular and systematic monitoring of data subjects on a large scale” or where the entity conducts large-scale processing of “special categories of personal data”.
The introduction of mandatory privacy risk impact assessments
A risk-based approach must be adopted before undertaking higher-risk data processing activities. Data controllers will be required to conduct privacy impact assessments where privacy breach risks are high to analyse and minimise the risks to their data subjects.
New data breach notification requirements
Data controllers will be required to report data breaches to their data protection authority unless it is unlikely to represent a risk to the rights and freedoms of the data subjects in question. The notice must be made within 72 hours of data controllers becoming aware of it, unless there are exceptional circumstances, which will have to be justified.
The right to be forgotten
Data subjects have the “right to be forgotten”. The Regulation provides clear guidelines about the circumstances under which the right can be exercised.
The international transfer of data
Since the Regulation is also applicable to processors, organisations should be aware of the risk of transferring data to countries that are not part of the EU. Non-EU controllers may need to appoint representatives in the EU.
Data processor responsibilities
Data processors will have direct legal obligations and responsibilities, which means that processors can be held liable for data breaches. Contractual arrangements will need to be updated, and stipulating responsibilities and liabilities between the controller and processor will be an imperative requirement in future agreements. Parties will need to document their data responsibilities even more clearly, and the increased risk levels may impact service costs.
Data portability will allow a user to request a copy of personal data in a format usable by them and electronically transmissible to another processing system.
A new one-stop shop for businesses means that firms will only have to deal with a single supervisory authority, not one for each of the EU’s 28 member states, making it simpler and cheaper for companies to do business in the EU. This will also have a positive impact on Internet service providers with offices in several EU countries.
Privacy by design
The GDPR contains requirements that systems and processes must consider compliance with the principles of data protection. The essence of privacy by design is that privacy in a service or product is taken into account not only at the point of delivery, but from the inception of the product concept.
The Regulation mandates considerably tougher penalties than the DPA: breached organisations can expect fines of up to 4% of annual global turnover (NB turnover, not profit) or €20 million – whichever is greater.
Fines of this scale could very easily lead to business insolvency and, in some cases, closure. Data breaches are commonplace and increase in scale and severity every day. As Verizon’s 2016 Data Breach Investigations Report reaffirms, “no locale, industry or organisation is bulletproof when it comes to the compromise of data”, so it is vital that all organisations are aware of their new obligations so that they can prepare accordingly.
We have a Solution!
The web gateway platform built for the cloud that redefines the way cybersecurity is delivered.
Built for the cloud with a unified, elastic distributed architecture
- Deploys dedicated capacity, features and uniform policies where needed using cloud or on‑premises sensors.
- Provides uniform protection to all users and locations by managing all security policies, settings, and reports in real‑time from a single cloud admin console.
- Scales easily with built‑in elasticity as your bandwidth and cloud demands increase, future‑proofing your cybersecurity investment.
Powerful rapid detection and response capabilities reduce breach dwell time
- It’s all there – content filtering, stream‑based protection, including all ports and protocols (TCP & UDP), real‑time malware detection and response, behavioural analysis, cloud apps and social media controls, bandwidth optimisation and more.
- Fastest, most scalable SSL decryption with micro‑segmentation to selectively decrypt based on content, device, user, or group.