GDPR, or the General Data Protection Regulation was top of mind for many attendees at Info Security Europe 2016.
The GDPR is due to come into force in 2018 and has the potential to significantly alter the way businesses handle data. At over 200 pages long, the regulation is possibly the most wide-ranging pieces of legislation passed; ever.
Notable GDPR Implications
The introduction of new or a revamp of existing concepts in GDPR will cause some major changes to the operations of companies. These include,
Consent for children: In order to use data relating to children, companies will need to seek parental consent. Children are identified as ‘vulnerable individuals’ and deserving of ‘specific protection.’
Personal & Sensitive Data: The definition of what is personal or sensitive data has been expanded to include genetic and biometric data. Relevant to this is the introduction of tokenization as a privacy tool.
Breach Communication law: A new security breach communication law will be introduced for all data controllers.
Data Protection by Design: Businesses will need to demonstrate technical and procedural processes have been implemented which adhere to GDPR requirements at an early stage.
Enhanced individual rights: Includes the right to be forgotten, the right to request the porting of personal data to an alternative service provider, amongst others.
Subject access: Upon request, data controllers must confirm if they have an individual’s personal data and provide a copy within one month. This will require organisations to assess its ability to provide data in a timely and accurate manner.
Transferring data outside of the EEA: Under GDPR, transferring of personal data to countries outside of the EEA will continue to be restricted and will remain a significant issue for multinational organisations.
Are you ready?
These are just some of the high-level changes that GDPR will bring in for European businesses. As more businesses delve into the details, more challenges will undoubtedly emerge. The UK’s Information Commissioner’s Office has been releasing guidance on how companies can prepare.
Some companies I spoke to said they were preparing to appoint Data Privacy Officers across the business to assist with GDPR. Others were engaging external consultants to help with the implementation. Whichever way you look – it seems as if GDPR will remain a talking point for many years to come.