General Data Protection Regulation, also known as GDPR, is a new policy issued by the European Commission, European Parliament, and Council of European Union. Its main goal is to enhance the protection of personal information within the EU and outside it. This policy is based on the grounds, that EU wants to give people more control over the ways of how their personal information is treated by companies. Also, there is a business component, which means that EU wants to provide companies with a simple and clear data protection law, by making it identical and standardized.
The GDPR policy was introduced at the end of April 2016. By definition, it replaces the directive which is already more than 20 years old. The new regulation is becoming valid on the 25th of May, 2018. By that time, all companies which are doing business in Europe or dealing with the personal information of EU citizens, have to implement all necessary changes.
If we are talking about the general portrait of a company that must comply with new regulations, then it is an enterprise which deals with the personal information of EU citizens, even if it not physically present in the European Union. Obviously, there are some specific criteria for that kind of companies. For instance:
- Business presence within the EU region
- Conducts operations with a personal data of EU citizens
- A team of more than 250 employees
- A team of fewer than 250 employees, in case a company has an impact on the personal information of EU citizens.
The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. The GDPR refers to sensitive personal data as special categories of personal data. For example:
- Names, addresses, ID numbers
- Biometric data
- Health and genetic data
- Web data like location, IP-addresses, cookies and RFID tags
- Racial and ethnic data
- Political data
- Sexual data
In technical domain, there are also such data types as Global Positioning System (GPS), media access control (MAC) addresses, unique mobile device identifiers (UDID), and International Mobile Equipment IDs (IMEI).
Penalties start with a light warning in a written format if it is the first case of non-compliance. After that, it can lead to data protection audits on a regular basis. Serious violations can result in fines from €10M to €20M or from 2% to 4% of the company’s global annual turnover, whichever is higher, respectively.
Who is DPO?
New regulation policies always bring new positions and new job opportunities. This case is not an exception. DPO stands for Data Protection Officer. According to the EU policy, there is no explicit demand for hiring a separate person for this position, meaning that this role can be executed by the existing employee who posses the entire set of required skills and does not have any conflict of interest. The core area of responsibilities for that person will slightly correlate with a well-known Compliance Officer. In this case, this position will require advanced knowledge of data protection law, proficiency at managing IT processes, data security and other issues around the processing of personal and sensitive data.
What is Pseudonymisation?
Pseudonymisation is a process of data transformation which means that final data is cannot be connected to the specific owner of this data without having some additional information. Even if this method is being used to lower the risks and enhance data protection, GDPR policy requires that this additional information for the access to the original data should be stored separately. This entire process is very similar to the encryption, which we described in this article on the basis of mobile security.
What to do?
There are a lot of questions coming up of how to become prepared for GDPR policy and what are the exact necessary steps to be implemented. Here are a few recommendations, which can help to start moving in the right direction of data protection and security:
- Make company’s management aware of new policy and regulation details
- Involve and educate all departments within an organization
- Hire or outsource a DPO
- Prepare data security set of actions
- Assess potential risks and predict possible risk-avoidance ways
- Request for external consultancy if your company is small
- Test your reporting capacity and endurance time
- Always monitor the potential ways for better compliance
Cloud service providers like Amazon and Microsoft Azure have already announced GDPR compliance. For example, Amazon has a whole landing page connected to European data protection policies. Microsoft also declares that they are prepared to GDPR compliance across cloud services when regulation becomes valid on May 25, 2018. Therefore, nobody should be afraid of the new European policy, meaning that it is only about being prepared and implementing necessary things in a right time. Evidently, this process will require a certain amount of investments, which for sure will be compensated by mitigated risks and protected personal data of European citizens.