Ahead of GDPR implementation, we hear from Stephen O’Boyle, Head of Professional Services at BSI Cybersecurity and Information Resilience.
No doubt you have heard about the impending General Data Protection Regulation (GDPR) that is set to change the face of how companies do business, not least for the public sector and civil service.
In fact, change might be an understatement. Under the new legislation, which takes effect from the 25 May 2018, any business which handles personal information pertaining to a living individual – and let’s face it, it’s hard to conceive a business that doesn’t – will fall under its scope.
While this regulation may seem limiting, it’s ultimately designed to compel businesses to adopt best practice surrounding data protection, something Stephen O’Boyle, Head of Professional Services at BSI Cybersecurity and Information Resilience, believes is entirely achievable. “With the GDPR enforcement date looming, there are three key elements to consider – understanding, achievement and improvement. With these addressed, compliance is feasible,” he explains.
O’Boyle highlights the key details around GDPR, and what they mean as the impending deadline approaches:
• Significant fines
Non-compliance of GDPR will see companies receive fines for breaches of the regulations. Fines are presented in two tiers: €10 million or 2 per cent of annual worldwide turnover, or €20 million or 4 per cent of annual worldwide turnover; whichever is higher.
• What constitutes personal data under GDPR?
All personal data, which can include CCTV footage, location information, and financial data – anything that you as a ‘data controller’ hold in relation to an individual, or ‘data subject’.
• The right to erasure
If an individual no longer wishes for their data to be stored, and there are no legitimate grounds for keeping it, the data must be deleted by the controller. Responsibility falls on the data controller to prove that they need to keep the data, not on the individual.
• Redefining consent to ensure transparency
Individuals must be fully and specifically informed at the point of collection on all purposes for which data is used. Data subjects may now also remove their consent at any time, and for any reason.
• Mandatory notification of a data breach
Organisations will now be required to report a data breach to their Supervisory Authority within 72 hours of becoming aware of the breach.
• Portability of data
The regulation deems that data subjects will have the right to transfer their personal data in electronic format from one data controller to another without interference from the original controller.
• Privacy by design
This idea is fundamental to the new regulation, and aims to change the overall attitude and organisational planning towards Data Protection. Article 23 stipulates that Data Protection should be considered in the development of business processes, rather than included as an afterthought.
• Appointment of a Data Protection Officer (DPO)
Some organisations will have a mandatory requirement to appoint a DPO. The DPO must be independent and will report to the regulator and not the board of directors.
• Increase understanding of GDPR
Accountability and vigilance are key to preventing a possibly seismic data breach within your company. Engage in an awareness campaign to educate your employees on the new data protection regulation, provide training to encourage correct conduct, and designate a DPO.
“This reform has significant implications for business, not only for those based in the EU, but all companies globally that handle personal data of EU citizens or residents,” concludes Stephen.
For more information:
Stephen O’Boyle is Head of Professional Services at BSI Cybersecurity and Information Resilience
Based in Sandyford, Dublin, BSI Cybersecurity and Information Resilience is a centre of excellence for managing and securing corporate information offering a range of solutions to help companies become GDPR compliant including consulting, training, research, technical solutions and outsourced Data Protection Officer (DPO) services.
T: +353 1 210 1711