Data flows and processes must be on every Director’s agenda right now. On May 25, 2018, Regulation (EU) 2016/679 of the European parliament and of the EU Council will come in effect repealing previous Directive 95/46/EC. General Data Protection Regulation (GDPR) provides for harmonisation of data protection regulations throughout the EU and would also apply to foreign companies processing personal data of EU residents. The regulation seeks protection of natural persons with regards to the processing of personal data and on the movement of such data.
Organizations need to figure out if they are within the general scope of the GDPR. Article 3 states that the GDPR applies:
“..to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, whether or not the processing takes place in the Union; and to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union where the processing relates to the offering of goods or services (whether free or paid for) or the monitoring of behaviour which takes place within the EU.”
“Processor – means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”
“Controller – means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data…”
Obligations for organisations?
· Article 17 – Right to erasure (‘right to be forgotten’) which means a data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay
· Article 20 – Right to Data Portability allows for Data Subjects to receive their personal data, which they have provided to a Data Controller, in a structured, commonly used and machine-readable format, and to transmit it to another Data Controller.
· Reporting of Information Security breaches within 72 hours to the relevant Supervisory authority in a member state
· Organisations that employ more than 250 personnel, need to engage a Data Protection Officer (DPO) and register with the relevant authority for information and data protection in their country
What is the cost of non-compliance?
Non-compliant organisations could face fines of up to €20,000,000 or 4 per cent of global turnover for the previous year, whichever is higher, a devastating amount for any business.
How do I comply?
Ignorantia juris non excusat or “ignorance of law excuses no one”. The decision of where to store data, for how long, and what can be done with it, is a strategic responsibility rather than operational one. An appointed DPO must have in-depth knowledge of the organization’s architecture, people, and processes as well as data flows. They should have the right interpersonal skills and be respected by those they have to collaborate with, as the road to compliance could be an uphill struggle.
Organisations must start by identifying data processing flows and where the customer data ultimately resides, how it is protected and who is responsible for it. An IT audit based on international standards is especially useful in this case. We at Kyte can carry out an audit of your data processing activities to identify gaps between your operation and the compliance requirements and then assist you to fill in these gaps.
Author: Owen Baldacchino
· Regulation (EU) 2016/679 of the European Parliament and of the Council 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
· Official Journal of the European Union L119/1 of the 4.5.2016
About the author:
This article was written by Owen Baldacchino, IT auditor with Kyte Consultants. At Kyte, we provide a wide range of advisory services to companies heavily reliant on information and communications technologies to achieve their business objectives. Click here for further information.