The recent increase in number and impact in cyberattacks to steal information has made it necessary to change the legislation on data protection in Europe. The GDPR (General Data Protection Regulation), which will be implemented in May 2018, aims to protect the data of European citizens and monitor how organizations process, store and use this data. Broadly speaking, with this new regulation, the European Commission has sought to give Europeans control over their data, removing the ambiguities of the previous legislation (dating back to 1995), as well as to unify the specific legislation of each country.
What changes with this new regulation?
The GDPR contains almost 100 articles which, in short, guarantee access to data for individuals and detail in clearer terms the responsibility companies will bear. Here are the main changes from previous regulation that the GDPR will bring about:
- Scope of the regulation: The GDPR affects all organizations that store EU citizen data, even if they do not have a physical presence in Europe.
- Obtaining explicit consent: Organizations have an obligation to obtain explicit and active consent from the individual following a fully transparent explanation of how the data will be treated (processing, storage or use of data). It is no longer enough to inform the user, but the person must actively express their agreement.
- Right of access: all citizens will have the right to obtain confirmation of whether or not a company is using their personal data. If so, they have the right to access this data and the organization will be required to provide a copy, as well as explain the purposes of the data processing, the criteria used, and the time frame of its storage. The GDPR also includes the right to rectify the data.
- Right to be forgotten: this is probably the most salient of the rights included in the new regulation. This article allows the user to request the erasure of their personal data for various reasons: if the data is no longer necessary for the purpose for which it was collected, if the consent has been withdrawn, if the data was obtained in an illegal way, etc.
- Right of portability: the user will have the right to request that the organization that stores their personal data provide a copy or transfer this data to another organization.
- Company responsibility: in general terms, the responsibilities of companies and institutions have been compounded with the GDPR. Organizations will be required to implement monitoring systems, document the procedures for collecting, storing and using personal data (in companies of more than 250 employees), reporting any breaches of security or attack to the authorities within 72 hours, and even hire a data protection officer (DPO) in companies that handle large amounts of sensitive information.
What can companies do to be prepared?
- Protect the data. It may seem obvious, but this is the basis of any adaptation plan to the GDPR: it is necessary to actively reinforce information security throughout the life cycle of the data you store. To help companies in this process, Panda Security offers Adaptive Defense, which includes the tools necessary to implement these prevention measures.
- Implement an explicit consent program for clients. With the new regulations, all companies will have to offer their customers the option to actively express their consent for the treatment and use of their data.
- Develop an action plan. To avoid being overwhelmed by the application of the GDPR, the first thing is to have a plan, starting with an analysis of the current situation of the company in terms of obtaining, processing, storing and using personal data. In our “Preparation Guide to the New European General Data Protection Regulation”, we offer some useful guidelines for making the transition to GDPR compliance.
8 comments
For the US and North American markets, GDPR compliance is becoming quite challenging as companies are struggling immensely with scoping issues and documentation issues. More specifically, I’m finding that controllers and processors are unclear at times as to what’s in scope, then further challenged by the complete lack of policies and procedures in place. I look at GDPR compliance as a two-fold process, and that’s (1). Putting in place the actual processes and best practices, and then (2). Documenting such processes and practices with well-written, factual policies and procedures.
The amount of time and money that organizations are spending on policy creation, along with acquiring additional tools for GDPR compliance is quite staggering, but again, it’s got to be done. Hopefully, as time passes the EU will provide better guidance on many of the articles that are currently somewhat vague. This has been done to obviously account for the large number of industries that need to become compliant. Well, good luck to everyone’s GDPR compliance issues and do all you can for meeting the deadline of May, 2018.
Thanks a lot Grant for your comment and the interesting points you highlight on it.
Hopefully most companies get to implement GDPR before May 2018.
Kind regards,
Panda Security.