GDPR (General Data Protection Regulation) should be applicable across the 28 EU member states by the end of 2017. Are your data security practices in compliance with GDPR?
What is the GDPR?
The European Union's General Data Protection Regulation is designed to replace the patchwork of data protection regulatory authorities in the 28 member states with a framework that will apply across the Union. Additionally, it will apply to any non-EU businesses that handle the data of EU citizens in Union. This means that the biggest cloud and social media companies such as Google, Facebook, Twitter, Microsoft, Apple, will be required to comply with the regulations.
The first draft of the regulation was published by the European Commission in 2012. It is hoped that a final agreement will be reached by the end of 2015. That will then usher in the two-year period before which the GDPR comes into force, meaning it should—in theory—be applicable across the 28 member states by the end of 2017.
What Are the Key Points of the GDPR?
Consent
One big change for any business that handles personal data is that it will have to seek clear consent from customers, staff and suppliers for use of their data. That applies both to data gathered after the implementation of the regulation and—crucially—data that's already held.
Best Practice:
All existing data will have to be audited to make sure it complies with the new standard.
Disclosure
The current draft of the regulation requires any organisation suffering a breach to notify it within 72 hours to the Data Protection Authority and anyone affected by a breach.
Best Practice:
Organisations worldwide would be required by GDPR to notify EU citizens of any data breach within 72 hours.
Right to be Forgotten
Businesses handling the data of EU citizens will have to erase data "without undue delay" if the individual asks them to do so, if the data was unlawfully processed or if they're required to do so by law.
Best Practice:
Any organisation holding data of EU citizens needs to be thinking about how to implement processes for responding to "right to be forgotten" requests in a timely fashion.
Penalties
The current proposal is for fines of up to €1m or 2 percent of global turnover, depending on the seriousness of the breach.
Conclusions
Although the language and process of the European Union and its legislature might seem glacial and opaque, time is of the essence for businesses all over the EU and the rest of the world. It's critical that organisations use the next two years to really get to know their own data landscape, to identify areas that need attention and to identify the technologies and service providers that can help them be ready for the day the new regime comes into force.
Ipswitch's MOVEit Managed File Transfer offers secure and reliable transfer of sensitive data among and between business partners.