Mayday! Are You Ready for GDPR?

Procrastinators beware: The EU’s new General Data Protection Regulation (GDPR) takes effect on May 25, 2018.

If you need an incentive to study-up, remember that knowledge of GDPR (and how to comply) has experienced a big rise in demand and salary over 2017, according to data collected and analysed by ITJobsWatch.

If you’ve been putting it off, there’s not a moment to lose. Here is an overview of the regulation and some steps that you can take to get up to speed on the biggest data protection law in nearly 20 years.

New Framework

Regulation Overview GDPR is Europe’s new framework for data protection that applies to “personal data” belonging to EU citizens, no matter where the datasets/servers or manual files reside, explained Simon Hinks, a data protection/GDPR practitioner for PMA Ltd.

The regulation also applies to companies outside the EU who sell to customers located in Europe – or that store data in European-based data centers, cloud servers or SaaS programs. What makes GDPR unique is that it’s a regulation, not a directive, and it enforces a strict and broad definition of personal data, referring to any information that can be used on its own or in conjunction with other data that may identify an individual, explained Neil Penny, owner/director of Enarpee Services Ltd., a regulatory and compliance support services company.

For example, a simple MSISDN (phone number) stored on its own without an associated name or address will fall under the guidelines of GDPR. Hinks added that companies offering free downloads or free trial subscriptions will be impacted if they store a prospective customer’s information or IP address to keep them from signing up for the same free trial again. GDPR also covers images of customers or visitors captured by closed-circuit television systems.

Additionally impacted are third-party organisations that may manage, modify, store or analyse that data on behalf of (or in conjunction with) data controllers. Essentially, all organisations will be required to actively track how and where data is stored and used throughout a supply chain, Penny noted. And while the regulation will definitely impact data managers and security pros and possibly professionals involved with Big Data, the Internet of Things (IoT), e-commerce, software development and cloud vendors, organisations with more than 250 employees are now required to employ a data protection officer.

Key Principles and Requirements

If you’re looking for a reprieve from studying potential Brexit effects, keep in mind that Brexit will not impact the requirement to comply with GDPR. In fact, the UK government is planning to draft its own data protection bill that is expected to mirror and strengthen the protections outlined in GDPR.

If you’re new to GDPR, or data protection policies in general, get-up-to speed quickly by studying the major principles that underpin the requirements for collecting, processing and retaining personal data.

Once you’ve mastered the principles, review the new regulations to identify those that will impact your job duties and the organization. Hinks recommends that busy professionals who have day-to-day responsibility for data protection view this introductory video from the Information Commissioner’s Office (ICO) and its 12-step program and readiness checklist.

For example, under GDPR, customer records can only be kept for as long as needed to fulfill the original purpose of collection, and customer silence or inactivity no longer constitutes consent. EU citizens will have to opt-in to storage, use and management of their personal data, and they have the right to request the deletion of their information (also known as “the right to be forgotten”). Therefore, many businesses will need to revise policies and consent forms governing the collection and retention of customers’ personal information to comply with the new regulations.

And because GDPR requires that privacy be built into systems, software and processes by design, in the future, all software will need to be capable of completely erasing customer data. “Companies need some sort of rationale behind their policies,” Hinks explained. “And they will need to be able to prove compliance and adherence to the guidelines if complaints are filed.”

Organisations will be required to report data breaches to affected individuals and a supervisory authority within 72 hours of discovery under GDPR. It also encourages organizations to use pseudonymization and encryption techniques to protect data security and the rights of individuals. GDPR will also require data controllers to carry out privacy impact assessments (PIAs) in many situations.

“Ignorance of the law is not a defence,” Penny warned. Those who want to learn more about GDPR and the ways to achieve compliance should consider enrolling in a certified training course.

“Severe breaches of GDPR could result in fines of up to €20m or 4 percent of worldwide turnover, whichever is greater,” Penny noted. Since carrots tend to motivate better than sticks, keep in mind that the average salary for some GDPR-related jobs is as high as £60,000 a year.

Post a Comment

Your email address will not be published.