The GDPR is implemented as a regulation at EU level. This differs from some previous EU legislative initiatives, which have required corresponding legislation to be enacted in EU member state parliaments and equivalent.
This is interesting from a number of viewpoints. First, it is an example of an “EU law”, which requires no further action on the part of member states. Second, and as a consequence, it will take effect, simultaneously, across the entire EU at the same time – becoming enforceable from the 25th of May, 2018.
I’ve lost track of the number of items I receive in my inbox and on social media regarding the General Data Protection Regulation (GDPR). The industry “group think” regarding GDPR appears, at least to me, to have gone through something of a journey. Initially there was a concerted effort by many to raise awareness, then a period of overabundance leading to disinterest, and now renewed traction.
It seems to me part of this has been driven by the many and varied certifications, courses and seminars about GDPR since 2015, which has led to the industry developing a kind of playbook on how to manage GDPR when it gets introduced. GDPR compliance is considered in every information security activity as a matter of routine.
But what are the salient points about GDPR, and what will it mean for the security industry? Here are a few take home observations that are noteworthy to me:
- The price for non-compliance is high. Up to 4% of global turnover. Note that refers to global turnover, not only EU or UK (member state). It is also not profit-based, so, it would seem, a loss-making business could be fined much the same as a profit making business.
- Clearly defined (explicit) consent must be given by data subjects for processing. This in most cases will require a record of consent to exist on an opt-in basis, and may require some information system review and potential re-development.
- An information audit may be necessary to assess data held in the “new GDPR world”. Assuming existing arrangements will be sufficient may not be adequate.
- A number of rights for individuals: a right to be informed, a right of access, a right to rectification, a right to erasure (sometimes called “right to be forgotten”), a right to restrict processing, a right to data portability, a right to object, and a right not to be subject to automated decision-making (including profiling).
- Existing DPA-compliant ICT processes and practices will, in all probability, be very helpful in attaining and sustaining GDPR compliance. While GDPR adds new regulatory concepts, underpinning principles that carry forward from DPA are clearly evident.
GDPR is a broad topic, and keeping awareness of this significant, transformational, piece of EU legislation is highly recommended.
Hopefully when I get a moment to write more on this, I will. In the meantime, the ICO have a helpful series of guides and tools to learn more about GDPR.