The EU General Data Protection Regulation Change
Layer One Media’s clients do business worldwide. As such, they are constantly collecting data on their customers and website visitors. Recently, the EU and Parliament adopted new regulations that will not only effect third party cloud providers but the companies that collect data as well. Following is a bulletin we think you’ll find helpful in preparing for the change:
The European General Data Protection Regulation represents the most significant change to data protection in the UK and EU since 1995.
The EU Council and the Parliament both adopted the regulation in April 2016. The regulation will take effect after a two-year transition period. Once in effect, it will have the force of law across all 27 EU states, giving uniformity of data protection laws across all member states and significantly increasing penalties for non-compliance. The ISF, working with its members, has identified the top five actions to take:
- Get your privacy policies, procedures and documentation in order and keep them up to date: data protection authorities will be able to ask for these at any time.
- Form a governance group that oversees all your privacy activities, led by a senior manager or executive. If you have over 250 employees, appoint a data protection officer. The group should develop metrics to measure the status of privacy efforts, report regularly and create statements of compliance that will be required as part of your organization’s annual report.
- Implement a breach notification process and enhance your incident management processes and your detection and response capabilities. Any data breach must be notified to the relevant data protection authority, even if protective measures, such as encryption, are in place; or the likelihood of harm is low.
- Prepare your organization to fulfill the "right to be forgotten", "right to erasure" and the "right to data portability". A strategy covering topics such as data classification, retention, collection, destruction, storage and search will be required – and it should cover all mechanisms by which data is collected, including the internet, call centers and paper.
- Create and enforce privacy throughout your systems' life cycles to meet the "privacy by design" requirement, whether you buy or develop. This will ensure privacy controls are stronger, simpler to implement, harder to by-pass and totally embedded in a system’s core functionality.