General Data Protection Regulation: what it means for your business
Starting from May 2018, the General Data Protection Regulation (GDPR) will reform the EU data protection legislation. This new regulation needs to simplify data protection routines for businesses operating in the European Union. While for some organizations GDPR means just reviewing their current security practices, for others it means the start off on building their security practices and putting security first within their organization.
GDPR will replace the current EU Data Protection Directive 95/46/EC and will be directly applicable in all European Union states.
So what does this mean for your business? You need to start prioritising the following points as minimum:
- Review your data protection and privacy policies, to ensure if they are GDPR compliant.
- Ask yourself the question if you will be permitted to continue processing data under the new GDPR law? Do we keep records on each processing of data we perform? Are you lawfully processing data?
- Make sure you have a proper data security breach plan, so everybody knows what to do once a data breach has occurred.
- Appoint a Data Protection Officer, who will monitor the processes and procedures.
- Review all your existing contracts to make sure your contractual documentation is still adequate.
- Audit your international data transfers.
In case of a data breach, that puts personal data at risk, you need to notify the authorities within 72 hours and provide them with a detailed documentation which states the nature of the breach, a risk assessment and a clear plan how to resolve the situation. If the data breach has exposed highly sensitive data, you are obligated to communicate the breach to all persons affected.