The countdown is almost over. Slated to come into full effect on 25th May 2018, the General Data Protection Regulation (GDPR) is a remarkable piece of legislation, that will mark a fundamental shift in the approach towards data protection within Europe.
The latest data from compliance specialist Alchemetrics revealed that ICO fines could increase a staggering 4500% as a direct result of GDPR. Clearly, organizations are not yet prepared to meet this mandate. Gartner predicts that more than 50 percent of businesses will not be ready for GDPR by the time it goes into effect in May 2018. Bart Willemsen, research director at Gartner, said: “The GDPR will affect not only EU-based organizations but many data controllers and processors outside the EU as well”.
Those organizations found to be non-compliant can expect tough fines, strict consent laws, broad privacy rights and stiff penalties. Best make sure you’re compliant sooner rather than later!
GDPR – The key changes
With promises of heavy penalties for those who fail to abide by the regulations, the GDPR is set to reshape the manner in which organizations handle data privacy. It aims to sync all privacy laws to protect and empower data security by imposing stricter rules.
Although GDPR follows a similar approach to existing legislation, there are some noteworthy changes which I’ve listed below:
One of the most talked about elements of GDPR are the fines that would apply to businesses that don’t comply. The level of fines being imposed has increased to up to 4% of an organization’s turnover as the maximum fine and 2% of an organization’s turnover for less serious offenses.
GDPR applies to controllers and processors, both outside and inside the EU, who handle data generated in the European Union. All businesses offering goods and services to those within EU are subject to the regulation. So even if Britain opts out of European Union, the businesses located there may still have to stay compliant with GDPR.
Cross-border data transfers
Data transfer to third countries is permitted under GDPR but there are some set conditions. Such transfers can be done only to approved third countries outside the member states. Transfers done in violation with the regulation will be subject to hefty monetary fines.
A record of all data processing activities should be maintained in order to minimize breaches. Businesses must ensure that their policies are sufficient enough to satisfy the requirements of GDPR. Having clear security policies in place helps you meet the required standards. Training all the employees to understand their obligations can help in the long run.
Data Protection Officers (DPO)
The following companies will need to appoint a DPO under article 37:
- Public authorities or bodies, (not including courts)
- Companies processing data that requires “regular and systematic monitoring of data subjects on a large scale.”
- Companies who process, on a large scale, any special category of personal data that may reveal ethnic or racial origin, political opinion, philosophical beliefs, religious beliefs, or other such information.
- Companies who processes, on a large scale, data related to criminal offenses and convictions
If you fall under any of these categories, you’ll need a DPO in place. That DPO will oversee all data protection activities and the direct, systematic monitoring of data. That person will be involved in all aspects of data protection within the business.
One of the most noticeable developments of the GDPR is consent. A clear affirmation will be needed on all data subjects. Storing and using information will require individual consent along with a detailed explanation of how it is going to be used. Opt-out forms are no longer applicable.
When a security breach occurs, it the responsibility of the organization to report it to all customers and stakeholders. They will have to notify the concerned authorities within 72 hours of discovering the breach.
Privacy by Design
This is a legal requirement of GDPR in which companies will have to consider data privacy during all the design stages of the projects. Everything related to the privacy of personal data should be taken into consideration to control their storage and accessibility.
Best practices for staying compliant with the GDPR
Information Commissioner Elizabeth Denham describes consequences of GDPR as “the biggest change to data protection law for a generation”. So, what remedial steps can your organization take to stay compliant?
Assess existing processes
Performing a gap analysis will help to delineate the areas that need to be improved to achieve GDPR compliance effectively. Auditing the existing processes, new processes and personnel will provide a deeper insight into those that have to be upgraded or replaced.
Prepare for breaches
Getting real time notifications on any threat which is looming over your business enables you take the necessary steps well in advance. You won’t be able to achieve this through native auditing as the process is too manual and time consuming. So, I recommend that you introduce an auditing solution into your IT environment that automates these things (like LepideAuditor – but I’ll get to that in a minute).
Use the latest technologies to fill gaps
For data security, data auditing and data privacy needs, implement new technologies capable of meeting the requirements of GDPR’s data discovery. Proper technological safeguards, careful gap analysis and process mapping, will help identify the vulnerabilities. You should find that most third-party tools are gearing themselves up to ensure that they are able to help you meet GDPR. Help is out there if you can find it!
Track certified admins
It is crucial that you identify which user accounts have the permission to create, change or log into stored client data. An in-depth audit analysis of how data is stored, retrieved and manipulated needs to be done on a regular basis. Multi-factor authentication is recommended to control access to user credentials and other activities.
LepideAuditor – Meets your compliance requirements
LepideAuditor is an advanced auditing solution that continuously monitors and reports on all activities in your network infrastructure in order to help you meet the stringent requirements of GDPR.
Improve the security of your network with LepideAuditor, our comprehensive solution designed to help you address all manner of security, IT operations and compliance challenges. The automated audit reports gather granular event details that help you meet GDPR compliance requirements with ease and speed. Start a free trial today and see if it can help you meet you remain compliant!