May 25 2018 is probably not a date that is written large in your calendar, but it should be. That is because it is the day when the EU General Data Protection Regulation (GDPR) becomes applicable.
Although the UK will be leaving the EU soon after that, the likelihood is that we will adopt it (or parts of it) and if you are dealing with EU organisations or individuals you need to be compliant. So, it is something you should be aware of and planning for.
What you need to look out for
The aim of the GDPR is to unify data protection law whilst increasing the data rights of individuals. To do this it is increasing the obligations of organisations that keep data in a number of ways:
- Scope – it will apply to any data that is held by any organisation offering goods or services to organisations and individuals within the EU.
- Liability – organisations need to introduce security measures as well as notify data controllers in the event of a data breach. A data processor will be liable for the damage caused by unlawful data processing if it has not complied with its GDPR obligations.
- Data Protection Officer – some organisations will need to appoint a Data Protection Officer when they process data that requires regular and systematic monitoring.
- Breaches – have to be notified within 72 hours of being discovered.
- Data transfers – these are generally banned to non-EU countries that do not provide an adequate level of protection.
- Transparency – defined in great detail the requirements that have to be met to notify individuals about their personal data that is held.
- Accountability – there will be a set of rules to follow to prove accountability and compliance.
Identity management is the key to ensuring GDPR compliance
Key to ensuring you are ready for the GDPR in 2018, will be making sure your identity management systems are resilient and all-encompassing. This will be the bedrock that will enable you to secure your data and make sure that you do not unwittingly breach the new regulation.