The Timeline & Milestones for EU General Data Protection Regulation
(GDPR)
Companies throughout the EU will face significant challenges
in handling personal data when the General Data Protection Regulation (GDPR)
goes live. The GDPR will automatically translate into national legislation
and will present dramatic changes on how personal data will be collected,
stored, accessed, disclosed and utilised from 2018.
General Data Protection Regulation (GDPR);
the existing EU data protection regime is based on the 1995 Data Protection
Directive (95/46/EC). The significant advances in information technology
from the past 20 years need to reflect the fundamental changes in IT communication,
sharing data, new IT, data & cyber developments. The various EU member
states cannot adopt a divergent approach to implementing the General Data
Protection Directive in the future so there will be uniformity between
the member states.
General Data Protection Regulation is a harmonised data protection
law (GDPR)
The GDPR directive can provide IT Governance and compliance difficulties
for many businesses in recognising the challenges. Although the GDPR is
not likely to enforceable before 2018, there will be a number of time
restraints due to the scope and magnitude of the entire project.
We suggest
that all EU companies begin with a workshop to determine the strategy
and assessment to define the obvious gaps to roll out the GDPR compliance
process. On the 25th August 2016, we will provide guidance on the impact
of the GDPR on businesses and what they should be doing right now to avoid
major IT, data and reputational problems on the annual IT security Day.
Obligations to respond in the event of a data breach.
The regulation requires organisations with 250 employees or more to have
a Data Protection Officer, responsible for ensuring compliance. The most
extreme consequence is that companies can be fined up to €100 million
or between two-five percent of their global turnover, in the event of
a data breach of personal data. Also, companies are required to inform
authorities of a data breach within 72 hours and to inform users of data
breaches without any delay
The GDPR security and data protection policies need entirely new roles
and responsibilities to address the data and safety information system
within the organisation and to proactively monitor their networks and
identify any potential security threat in real-time.
Preparation
of the new legislation is essential. Implementation of the General Data
Protection Regulation will require review of the current organisational
setup, potential system upgrades, process changes, and provide all stakeholders
with new implementation guidelines with a timeline and thresholds for
IT governance and compliance.
High on the corporate IT strategic agenda. The liability, penalties, lawsuits
and possible reputational damage in case of a breach or non-compliance
makes the GDPR data protection a boardroom issue. The Board of Directors
in most organisations, seriously consider importance how to ensure IT
compliance to the GDPR, cyber security, and data security compliance and
now ranks high on the strategic agenda.
To learn more about implementation and preparedness attend the IT and
Cyber Security Day at The Technical University of Denmark on the 25th
August 2016. Register today. http://www.riskability.org/2016/it-security/register.htm