EU Data Protection Regulation

0 Shares

by Dr. Grigorios Fragkos, Senior Information Security Consultant, SysnetLabs

The globalisation of data and the enormous technological developments of the last decade raises a number of new challenges when it comes to data protection and privacy. Current privacy legislation has not yet caught up with the technology boom when it comes to personal data, and fails to consider aspects such as cloud storage and the wide spread use of social networks.

 

This is set to change with the launch of the proposed EU Data Protection Regulation. The new EU Data Protection Regulation will not only apply to European businesses, but it will also extend to all foreign companies that process data belonging to EU residents. Effectively, any business that has European customers will need to be compliant with the new regulation.

 

Where companies fail to meet the regulation, severe penalties may be issued; for example, penalties for loss of personal data will be up to 5% of the annual turnover or €100m depending on the size of the organisation. These penalties are designed to make sure that the Data Protection Regulation will be taken seriously in the boardroom.

 

The proposed regulation will enforce the process of regularly testing, assessing and evaluating the effectiveness of a company’s security policies. In addition, businesses will need to maintain records of all personal data that they process and, in the event of a breach, will be required to notify their local Data Protection Authority (DPA) within a legally defined timescale.
 

Businesses will also be required to adopt appropriate compliance procedures and policies for handling data that will need to be reviewed every two years along with privacy impact assessments.

 

Webpage URL

Find out more about our Cyber Security and Compliance Solutions

Request a Callback

Regulation

The regulation expects businesses that handle the personal data of more than 5000 people within a twelve month period to appoint a named Data Protection Officer (DPO) to be responsible for implementing and managing compliance with the new Data Protection Regulation.

 

The appointed DPO does not have to be an employee of the company, which allows consultancy firms to act as appointed officers where no qualified internal resource is available to fulfil this requirement.

 

It is very important that organisations appoint a DPO with a good understanding of security and data privacy as new Data Privacy requirements will require all existing security and data protection measures, policies and procedures to be aligned to the new regulation. Staff training is also specified as a requirement of the proposed regulation.

 

The proposed EU Data Protection Regulation can be summarised as follows:

 

  • Any businesses that processes personal data (including but not limited to payment details, customer records, healthcare information, etc.) on 5000 or more European citizens within a 12 months period will be required to adopt the full requirements of the regulation and must appoint a Data Protection Officer.
  • A Data Protection policy is required that is capable of guiding employees of data protection best practice in a clear manner.
  • Personal data being stored on laptops must be protected by encryption.
  • Any data being stored in cloud networks must be encrypted and must also use encrypted channels while being transferred from one location to another. Transferring data to countries outside the European Economic Area (EEA) is restricted under the Regulation.
  • Personal data sent over email must be encrypted to avoid accidental leakage. Personal data stored on removable media must be encrypted with access restricted to authorised users only.

 

Finally

The regulation states that consent for processing personal data should be explicit and must be obtained through affirmative action. It must also be equally easy to withdraw consent as it is to provide it, and the processing personal data of children under the age of 13 will require the explicit consent of parents or legal guardians.

 

Safeguarding businesses according to the proposed EU Data Protection Regulation will not be a trivial task that requires deep knowledge of current and emerging technologies, the evaluation of processes, policies and procedures, and implementation of technical controls to ensure the confidentiality of personal data.

 

This is where Sysnet can help. Our team of specialist Cybersecurity consultants understand the importance of data protection and our staff are highly skilled in a wide range of security disciplines including Data Protection, PCI DSS and ISO27001. We can provide consulting support to help you understand your Data Protection responsibilities.

 

We can also help you in designing, implementing and documenting appropriate security controls, procedures and policies to meet your obligations, all within a holistic cybersecurity framework that takes into account all other applicable standards or regulations that are appropriate for your business.

 

Like this Article?

Subscribe to receive more tips & news about Cyber Security, Compliance and a lot more!

  • Sysnet Global Solutions will use the information you provide on this form to be in touch with you regarding non-promotional as well as promotional material by email and phone. If you agree to same, then please select the ‘I consent’ box after reading the terms and conditions listed below in relation to consent. You can change your mind at any time by clicking the unsubscribe link in the footer of any email you receive from us, update your preferences for communications, content etc. by clicking on the update my preferences button in any email we send you or by contacting us at marketing@sysnetgs.com We will treat your information with respect. For more information about our privacy practices please visit our website. By clicking below, you agree that we may process your information in accordance with these terms. We use Pardot as our marketing automation platform. By clicking below to submit this form, you acknowledge or agree that the information you provide will be transferred to Pardot for processing in accordance with their Privacy Policy and Terms