GDPR

GDPR at a Glance

Binding EU-wide regulation in place of the existing Data Protection Directive 95/46/EC
Regulation will become active on 25th May 2018 at which point all EU companies must be compliant
Fines for non-compliance of up to €20m or 4% of global annual turnover
Privacy by Design means technical systems must be designed, such that compliance is achieved by default
Mismanaged data transfers represent a significant breach risk

GDPR and

Data Transfer  

  • Data is continuously being transferred both inside and outside your organisation in order to support essential operations. Wherever “personal data” is involved, you face extensive obligations under GDPR.
  • Improperly handled data transfers create a significant risk of breach, be they caused through inefficiency, accident/oversight or sabotage.

GDPR and

The Role Of The DPO

(Data Protection Officer)

  • A significant number of organisations will now be legally required to appoint a DPO, many for the first time. The DPO role may significantly differ from your current jobholder / compliance officer, and comes with a specific status level, set of powers and professional obligations to “co-operate with the supervisory authority”.
  • Described as “the conductor of the data orchestra”, the DPO will be responsible for defining and executing the best-practice for any and all technical processes required by your organisation in order to comply with GDPR.

GDPR and

Mapping your Data

  • Under GDPR, organisations must be fully accountable for all data flows, but visualising and mapping data flows without the appropriate tools is very challenging. Without that, there can be no accountability.
  • Since many organisations manage data transfer via an uncoordinated collection of in-house technical scripts, with each often performing one task in isolation, the higher visibility level required to comply with GDPR is often absent.

GDPR and

Data Classifications & Risk

Profiles

  • Under GDPR, the highest fines will be levied in cases where a breach involves “special categories” of sensitive data  (e.g. disclosing health, race, political or religious information.) Specific valid purposes plus appropriate internal workflows and authorisation/permissions must be applied to such data in order to minimise the risk of non-compliance.
  • Systems may need to be upgraded or replaced in order to recognise and categorise data types accurately and provide the correct operational controls appropriate to the risk level.

GDPR and

Cross-border Data

Transfers

  • GDPR is global in its scope, meaning any overseas organisation with whom you transfer or exchange data are themselves fully obliged to comply with the terms of the regulation.
  • Special precautions must be taken when transferring personal data to a non-EU country and/or any country lacking adequate data protection framework. You are liable for the adequacy of the 3rd party.

GDPR and

Privacy By Design / PIA’s

  • GDPR demands that privacy is built-in by default to all operations and processes involving personal data i.e. Privacy by Design. Privacy by Design brings an obligation to incorporate privacy protections into products and systems at the outset of their development.
  • Executing a Privacy Impact Assessment (PIA) is essential for the implementation of Privacy by Design. According to most legal experts, the in-house scripts used by many businesses for data transfer will almost certainly fail a PIA under GDPR rules.
  • Following data protection best practice, the completion of a PIA with full visibility of the transfers affected is one of the factors likely to mitigate the size of any fine associated with a data breach.

GDPR and

Breach Reporting

  • Once a GDPR compliant data transfer tool is implemented correctly the risk of a data breach through your data transfers is massively reduced. However in case a data breach still occurs (for instance cyber-attack or employee sabotage), GDPR requires organisations to notify and provide full details surrounding the event to the national authority no later than 72 hours after the breach.
  • In this scenario, the correct reporting tools must be in place in order to act fast, and so mitigate or remove the threat of fines.
Contact Us

We're not around right now. But you can send us an email and we'll get back to you, asap.

Not readable? Change text.

Start typing and press Enter to search