General Data Protection Regulation
What to Expect
GDPR will apply to businesses within the EU and also to organisation outside of the EU who process the data of EU residents.
Data Protection Officer
Every organisation with more than 250 employees must nominate a dedicated data protection officer (PDO).
Single Set of Rules
Each member state will establish a Supervisory Authority, which will be responsible for their country but will work with other SA's.
The GDPR will require the data protection officer to notify the SA "without undue delay" and within 72 hours of any breach of data security.
Privacy by Design
Privacy must be built in to all new projects and initiatives including the requirement for privacy impact assessments (PIAs) to be conducted where specific risk occur to the rights of individuals.
A four-tier fine system will be put in place for breaches with the highest tier resulting in fines of up to £15.8 million or four percent of global annual turnover (whichever is greater).
Valid and explicit consent must be given for all data collected and the purpose for its use must be fully expplained. Opt-in options must be present for all data collection and consent must be retractable at any time.
Right to Erausre
Also called the 'right to be forgotten', this control gives the data subject the right to require a business to premanently delete all information held about them on any one of number of grounds.
Responsibility and Accountability
The current annual notice requirements remain and are expected. They must also include the retention time for personal data and contact information for the data controller and data protection officer.
A data subject shall be able to transfer their personal data from one electronic processing system to and into another, without being prevented from doing so by the data controller.
Top 5 Steps to Being GDPR
Gain top level management buy-in as change must be driven from the top.
Conduct a current state assessment to understand your existing level of compliance.
Develop a security incident process and templates for notification of any breaches.
Create or update policies and processes for the protection of personal information
Provide training for all employees so that they understand their responsibilities for protecting personal data and how to report a breach.