New EU data protection rules published
Today (4th May 2016) the new EU data protection rules have been published in the Official Journal of the EU. The new rules take the form of General Data Protection Regulation (GDPR), a regulation that will be directly applicable across all 28 EU member states and will modernize and unify data protection laws across the region. Following the one-stop-shop principle, businesses will only have to deal with one single supervisory authority.
Significantly, businesses that are found to be in breach of the GDPR may be liable to pay penalties of up to 4% of their total worldwide turnover, indicating that the EU intends data protection to become a board-level issue.
If you want to find out how the GDPR is going to affect you, and what you can do today, register to our webinar here: http://www.axesssystems.co.uk/gdpr-webinar
The GDPR will also introduce new data protection requirements. For example, businesses will be required to:
- Implement strict technical and organisational security measures, including pseudonymisation and data encryption
- Notify data breaches to the relevant data protection authority/authorities within 72 hours. In certain circumstances the breach will also have to be notified to the affected data subjects
- Appoint a data protection officer in certain circumstances (eg. for companies processing sensitive data on a large scale or for those that collect consumer information)
- Conduct privacy impact assessments before carrying out high-risk data processing; and
- Build in privacy by design when processing personal data.
Unlike the current EU data protection rules, many of the new rules will also apply to data processors (eg. an external payroll services provider processing data for an employer).
Although the GDPR will enter into force in 20 days, the new rules will apply as from 25 May 2018 only. That leaves businesses with around 2 years to bring their processing activities in line with the new data protection rules.
According to recital 134 to the GDPR “processing already under way on the date of application of this Regulation should be brought into conformity with this Regulation within the period of two years after which this Regulation enters into force.”
We therefore recommend businesses to start preparing for the GDPR now.
This blog was written for Gemalto by Tom De Cordier and appeared on the Gemalto blog site http://blog.gemalto.com/
Axess Systems is a Gemalto Gold Partner, and is a preferred technology partner for data encryption, key management and user access security.