GDPR promises to be the biggest shake-up to European Privacy laws in 20 years.
FTSE 100 companies could face fines of up to £5 billion a year if they don’t comply with the EU General Data Protection Regulation, according to an analysis by global management consultancy Oliver Wyman.
The General Data Protection Regulation (GDPR) is an act of the European Parliament (Regulation (EU) 2016/679) that was adopted in April 2016 and will be enforced across the European Union on the 25th May 2018; just 8 months away. Once enforced, it is designed to update the existing data protection regulations to make them more fitting for a more modern, digital age.
AuditComply, as with any new regulation, conducts a full review to see how future changes will affect current and future customers across the multiple industries that we operate in. We take seriously how these changes impact our software platform and continuously adapt and innovate to meet the requirements for all of our customers. We know that undertaking a data protection audit is an essential first step in achieving compliance with the GDPR regulations.
Added to this, unlike planned annual audits, the new regulation requires continuous compliance. This is not a one-time exercise but an ongoing assessment process – companies need to be compliant every day of the year!
Who does GDPR affect?
-Every company with a presence in an EU country.
-No presence in the EU – but still processes personal data of European residents.
-A company whose data-processing impacts the rights and freedoms of EU citizens or includes certain types of sensitive personal data. That effectively means almost all companies.
“My business is outside the EU”
This new regulation will not just affect European companies but any company that offers goods and services to or monitors, the behavior of EU residents, and therefore process any of their data. In other words organizations, no matter what the industry, operating outside the EU but conducting business within it, will be subject to GDPR compliance starting May 25, 2018.
Chris McMillan, a Partner in the data and technology arm of Oliver Wyman, said:
In the tug-of-war between companies and their customers over personal data, GDPR falls firmly in the consumer’s favor. With fines of up to four percent of global turnover or €20 million on the table, non-compliance is simply not an option.
“Let’s talk about ISO 27001”
The GDPR encourages the use of certification schemes like ISO 27001 to serve the purpose of demonstrating that the organization is actively managing their data security in line with international best practice. ISO 27001:2013 outlines 114 controls that can be used to reduce information security risks. The Standard covers three key components of data security – people, processes, and technology. Since the controls an organization implements are based on the outcomes of an ISO 27001 compliant risk assessment, the organization will be able to identify which assets are at risk and require encryption to adequately protect them.
Of course, there are some GDPR requirements that are not directly covered in ISO 27001, such as supporting the rights of personal data subjects: the right to be informed, the right to have their data deleted, and data portability. The implementation of ISO 27001 covers many controls of GDPR but it will not assure complete GDPR compliance.
What are your next steps?
Below are steps provided by AuditComply and the GDPR awareness coalition. The GDPR Awareness Coalition is a not-for-profit organization providing services to assist in raising awareness of GDPR and the FIRST steps towards GDPR compliance.
Will you be ready?
EU regulators know that you can do all the right things to become GDPR compliant and still suffer from a future breach. It is important that a company can demonstrate that they have thoughtfully considered their GDPR compliance requirements and have taken appropriate steps to achieve it.
For more information on how to be GDPR compliant visit ICO.
For more information about the GDPR Coalition drop an email to ambassador@gdprcoalition.ie or visit www.gdprcoalition.ie
Disclaimer: This blog is not legal advice and should be considered educational in nature. You may implement this advice at your own risk.