The EU General Data Protection Regulation (GDPR) has now passed its final stages, with the final text of the GDPR published in the EU Official Journal on May 4, 2016. The Regulation will enter into force on May 24, 2016, though the rules shall apply after a two-year transition phase, beginning May 25, 2018. Also coming into effect is the EU Data Protection Directive (NIS Directive) for the police and criminal justice sector as well as ISPs and telecoms; the Directive entered into force on May 5, 2016 and is effective as of May 6, 2018.
The finalization of the Regulation and Directive, paired with the upcoming Trans-Atlantic Privacy Law, means that for all organizations that handle data for European citizens, quite a lot of changes will need to take place in order to remain compliant with these new requirements. These changes include:
- Organizations must have a way to disclose information to individuals about their personal data and how it’s processed. Individuals will additionally have the right to be forgotten, the right to port their data to another provider and the right to object to decisions taken by automated processes.
- Strict conditions for consent
- Changes in the age of consent for the processing of personal data
- The expansion of the definition of “sensitive” data
- The integration of pseudonymisation, which involves processing personal data without identification of the subject
- Strict data breach requirements
- The need for Data Protection Officers in certain circumstances
- The protection of personal data “by design and default”
- The requirement to conduct a privacy impact assessment before high risk processing
All of these requirements come with additional administrative fines for data breaches, up to 4% of group annual worldwide turnover (to a maximum of €20 million / approximately $23 million U.S. dollars). Accountability is the core of the new GDPR rules, so organizations must have a way to demonstrate they have taken appropriate steps to safeguard personal data.
— Absolute (@absolutecorp) May 18, 2016
The GDPR will apply to organizations established in the UE, as well as organizations that process the personal data of EU subjects. Currently, only half of US-based organizations are aware of, or are preparing to deal with, the requirements of the GDPR, which is a costly position to be in for many organizations. With so many changes afoot, it’s important that organizations plan for the future, starting as soon as possible. Our friends at Corder have put together a series of 10 action points to get you started on your compliance changes. We also invite you to read about the Top 5 Things You Need to Know about the EU GDPR, then take steps to Avoid the Pitfalls of the New EU Data Protection Regime.
Absolute Data & Device Security (DDS) allows organisations to persistently track and secure all of their endpoints and the data they contain within a single cloud-based console. Computers and ultra-portable devices such as netbooks, tablets, and smart phones and the data they contain can be remotely managed and secured to ensure—and most importantly prove—that endpoint IT compliance processes are properly implemented and enforced. Learn more here.