DATA PROTECTION REGULATIONS
The countdown to tougher privacy legislation has started
Complex new data privacy laws have now been approved, which will impact how companies in all countries protect the personal data of EU citizens. Countries outside the EU which store any personal details of EU citizens will also be affected by the General Data Protection Regulations (GDPR). In the UK, the Data Protection Act overlaps significantly and already applies. The ICO currently advises: “UK data protection standards would have to be equivalent to the EU’s General Data Protection Regulation framework starting in 2018”. Significant penalties for non-compliance mean organisations will need to gain a clear understanding of what sensitive personal data they store and evaluate their processes to manage and protect it before the compliance deadline on 25 May 2018.
Countdown to GDPR Compliance
Personal data is any data which can be used to identify a specific individual. Any files containing unique attributes such as National Insurance Number or NHS number or a unique combination of information about individuals such as driving licences, passport records, utility bills, birth certificates, credit card or bank account details can be used to distinguish one person from another and are classed as personal data. Such information will need to be managed very carefully in every organisation in future. There is a specific definition of personal data for GDPR, but there is a significant overlap with the American definition of PII (personally identifiable information) which can also be identified.
All businesses will need to be able to demonstrate quickly how they comply with legislation, and larger companies must specifically employ a data protection officer. The full detail is captured in a complex 119 page EU document, and accompanying 55 page document relating to law enforcement agencies, but the key points to note are:
- EU citizens will have more control over how their data is processed
- EU citizens will have the right to know if their data has been leaked
- EU citizens will have the right to be forgotten, balanced against retention requirements and the right to freedom of expression
- EU citizens will gain the right to data portability, enabling easier transfer of their personal data between service providers
- Businesses will be required to comply with a single set of rules across the EU, rather than answering to 28 separate authorities
- Businesses based outside the EU will also have to comply, when offering their services to customers within the EU
- Businesses can be fined up to 4% of global turnover or €20M for non-compliance
- Businesses can remediate or redact their non-compliant data using technology:
- Anonymisation (removing personally identifiable information where it is not needed)
- Pseudonymisation (replacing personally identifiable material with artificial identifiers)
- Encryption (encoding messages so only those authorised can read it)
The first step to compliance is to understand what personal data is stored (and possibly buried and lost). In addition to revealing exactly where up to thirty five types of personal data are located, Connexus IG’s groundbreaking Information Audit rapidly delivers deep insight into the broader quality and health of your digital landfill. This evaluation of the value of different types of data leads to the creation or enhancement of DLP (Data Loss Prevention) policies within a broader Information Governance strategy to manage and protect that data. Our unrivalled combination of World-class consulting and revolutionary software enable you to identify the risks and take control.