The General Data Protection Regulation (EU GDPR)
For many, April 14th will go down in history as the day the world (well, Europe anyway) woke up and realized the importance of privacy laws designed for the 21st Century.
What is the EU GDPR?
A directive intended to regulate the movement of personal data within the European Union and is part of the EU privacy and human rights law.
It repeals Directive 95/46/EC and is intended to form a single, encompassing data protection law across all EU member states. The regulation is a replacement for the 1995 directive, EU Data Protection Directive, which was penned when the internet was in its infancy and cloud based data was a pipedream.
The main focus of the directive is around a person’s right to have control over their personal data. Now, companies will no longer be able to brush Data Protection issues under the carpet. If they do, they are liable for astronomical fines.
Are you ready for these figures?
Organizations not in compliance can be liable for up to 4% of their global revenue or €20 million / £15.8 million / $22.6 million. It all depends on which number is greater.
What is the time scale?
- The law was passed on Thursday, April 14th.
- The regulation enters force 20 days after its publication in the EU Official Journal.
- All member states will need to be in compliance two years from that date. So, approximately May, 2018.
Who will this impact?
In a nutshell, all EU member states. This raises an interesting question over in the UK with the ‘Brexit’ poll only 10 weeks away. Even if the UK departs the EU, it is expected to align its own DP policies with the GDPR.
As for the rest of the world. Well, if you trade in the EU zone you will be expected to comply with the regulations – which very likely many are not.
This has far wider implications globally. All multi-nationals and even SMB organizations that trade with the EU will be affected. Therefore, if you want the EU as a trade partner, you need to take serious note of the GDPR.
How Can STEALTHbits help?
STEALTHbits offers data access governance solutions that allow organizations of all sizes to obtain insight into who has access to sensitive data, appropriately limit that access, and remediate potentially stale data. These are the critical questions organizations need to answer to be in compliance with this new legislation.
A few key items to note:
- Children’s data processing will require parental consent
- All consent documentation must be clear. So an end to lawyer speak and small print.
- All public authorities must have a designated Data Protection officer
- All potentially high risk activities MUST have a comprehensive risk assessment undertaken
- All data breaches that potentially risk rights and freedom, must be reported within 72 hours
- Regular supply chain reviews and audits are a requirement
- Data Subjects have the right to be ‘forgotten’
- Risk of transferring data out of the EU has to be considered. Non-EU organisations may need to appoint an EU based data controller representative
- Data processors will have direct legal obligation and responsibilities – meaning they are liable for all data breaches. This will require a review and probable amendment to contracts and responsibilities
- Data privacy is the essence of the regulation and must be considered not only at the point of delivery, but throughout the whole data collection and use process. Once used, data must be discarded when no longer required
If you want to peruse the full 261 page legislation, here is a link to the full document: http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CONSIL:ST_5419_2016_INIT&from=EN
How can STEALTHbits help?
Contact us to learn how STEALTHbits can help your organization become compliant. Just click here!
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Mark Wilson is a Director of Product Management at STEALTHbits Technologies.
He is lead Pre-Sales consultant in the EMEA region and a key member of the global Product Marketing team.
Mark has 18 years’ experience working in virtually all technical support and consulting roles across both public and private sectors in the UK, EMEA and Globally.
Areas of specialism include compliance, data governance, IAM, migrations and consolidations.