Ensure your company is GDPR Compliant by the May 2018 Deadline.
Download GDPR Checklist
Just because your organization is based in the US does not mean you will not be caught up in this new regulation being put into effect May 25, 2018. This most significant overhaul of EU data protection regulation in recent history will greatly impact any organization who does business internationally. Therefore, any US-based company that target consumers in teh EU, monitor EU citizens or offer goods or services in teh EU (even if it is free) will have to comply.
Organizations caught not complying to these new regulations can be fined up to 4% of annual global turnover or 20 Million Euros.
GDPR Takes Effect In:
What to know about the GDPR Regulation:
The General Data Protection Regulation (GDPR) is designed to enable individuals to better control their personal data.
Introduced to keep pace with the modern digital landscape, the GDPR is more extensive in scope and application than the current Data Protection Act (DPA). The Regulation extends the data rights of individuals, and requires organisations to develop clear policies and procedures to protect personal data, and adopt appropriate technical and organisational measures.
The Brexit Question:
UK organisations handling personal data will still need to comply with the GDPR, regardless of Brexit. The GDPR will come into force before the UK leaves the European Union, and the government has confirmed that the Regulation will apply, a position that has been confirmed by the Information Commissioner.
What You Need to Do - and How MDS Can Help:
The Certified MDS Cyber Security team has wide-ranging data protection expertise to help organizations prepare for the GDPR. We offer a comprehensive suite of information, resources, solutions and soultancy services. Highlighted below are the key changes introduced with the implementation of the GDPR:
The GDPR is a one-stop shop
A new one-stop shop for businesses means that firms will only have to deal with a single supervisory authority, not one for each of the EU’s 28 member states, making it simpler and cheaper for companies to do business in the EU. This will also have a positive impact on Internet service providers with offices in several EU countries.
If your business is not in the EU, you will still have to comply with the Regulation
Non-EU organisations that do business in the EU with EU data subjects’ personal data should prepare to comply with the Regulation. Those providing products or services to EU customers or processing their data may have to face the long arm of the law if an incident is reported.
The definition of personal data is broader
Data privacy encompasses other factors that could be used to identify an individual, such as their genetic, mental, economic, cultural or social identity. Companies should take measures to reduce the amount of personally identifiable information they store, and ensure that they do not store any information for longer than necessary.
Consent will be necessary for proessing children's data
Parental consent will be required for the processing of personal data of children under age 16. EU Member States may lower the age requiring parental consent to 13.
Rules to obtain valid consent has changed
The consent document should be laid out in simple terms. Silence or inactivity does not constitute consent; clear and affirmative consent to the processing of private data must be provided.
The appointment of a data protection officer (DPO) will be mandatory for certain companies
Article 35 of the GDPR states that data protection officers must be appointed for all public authorities. In addition, a DPO will be required where the core activities of the controller or the processor involve “regular and systematic monitoring of data subjects on a large scale” or where the entity conducts large-scale processing of “special categories of personal data”.
Firms whose core business activities are not data processing are exempt from this obligation.
The GDPR does not specify credentials necessary for data protection officers, but does require that they have “expert knowledge of data protection law and practices.”
Mandatory Data protection impact assessments have been introduced
A risk-based approach must be adopted before undertaking higher-risk data processing activities. Data controllers will be required to conduct privacy impact assessments where privacy breach risks are high to analyse and minimise the risks to their data subjects.
There are new requirements for data breach notifications
Data controllers will be required to report data breaches to their data protection authority unless it is unlikely to represent a risk to the rights and freedoms of the data subjects in question. The notice must be made within 72 hours of data controllers becoming aware of it, unless there are exceptional circumstances, which will have to be justified.
Where the risk to individuals is high, then the data subjects must be notified, although a specific timescale is not specified by the Regulation.
Regular supply chain reviews and audits will be required to ensure they are fit for purpose under the new security regime.
Data subjects have the right to be forgotten
Data subjects have the “right to be forgotten”. The Regulation provides clear guidelines about the circumstances under which the right can be exercised.
There are new restrictions on international data transfers
Since the Regulation is also applicable to processors, organisations should be aware of the risk of transferring data to countries that are not part of the EU. Non-EU controllers may need to appoint representatives in the EU.
Data processors share responsibility for protecting personal data
Data processors will have direct legal obligations and responsibilities, which means that processors can be held liable for data breaches. Contractual arrangements will need to be updated, and stipulating responsibilities and liabilities between the controller and processor will be an imperative requirement in future agreements. Parties will need to document their data responsibilities even more clearly, and the increased risk levels may impact service costs.
There are new requirements for data protability
Data portability will allow a user to request a copy of personal data in a format usable by them and electronically transmissible to another processing system.
Processes must be built on the principle of privacy by design
The GDPR contains requirements that systems and processes must consider compliance with the principles of data protection. The essence of privacy by design is that privacy in a service or product is taken into account not only at the point of delivery, but from the inception of the product concept.
There is also a requirement that controllers should only collect data necessary to fulfil specific purposes, discarding it when it is no longer required, to protect data subject rights.
Building out and maintaining your IT ecosystem doesn’t have to be a do-it-yourself project. MDS can help identify network issues, configure devices, and optimize your infrastructure to maximize efficiency and performance. Our consultants are highly trained technology specialists that understand the complexities of multi-vendor environments and have the knowledge and skills to help your business become more agile, customer-focused and operationally efficient.