The General Data Protection Regulation is fast approaching and you want to be ready by May 25, 2018? Allow us to enhance your knowledge on this subject.
What is GDPR?
The General Regulation on Data Protection, or GDPR, was adopted by the European Parliament in 2016 leaving 2 years for companies to adapt to this new regulation. A company that does not respect the GDPR will be punished with a fine of up to 4% of the organization's global annual turnover or an amount of € 2,000,000
The goal of this new regulation is to improve protection, accessibility and the right to forget personal data. In an increasingly connected world where data circulates rapidly on the Internet, it becomes essential to structure the information in order to access it more quickly, especially during a cyber attack.
When you want to collect some data from a user, it will be mandatory to notify for what purpose this information will be used and to certify that you will no longer use the information later. This regulation is not only limited to EU Member States but also to any company dealing with EU citizen data.
What about the companies?
The GDPR is coming quickly but what about Belgian companies? Will they be ready by May 25, 2018? By the end of 2016, PwC & Law Square had drawn up a study to determine whether Belgian organizations would be ready for the D-Day. The study showed that only 30% of respondents had already audited their compliance with the GDPR. 40% have yet to think of a privacy strategy. While other companies operating in more regulated sectors and following closely the new European laws affirm that they are in agreement with this new regulation. This proportion of firms accounts for 67% of the organizations participating in the study.
How to prepare?
You are now aware of the importance of this new regulation and you wish to be ready for May 25, 2018? The CNIL (Commission Nationale de l’Informatique et des Libertés) is a French commission that protects the rights, freedoms and privacy of Internet users. The CNIL anticipates 2018 and proposes an upgrade in 6 steps:
- Designate a pilot
It will be essential to have an in-house resource with the skills to manage personal data. The person most likely to lead this project is a Data Protection Officer. Nonetheless a "computer and freedoms correspondent" will allow you to prepare before May 2018.
To get an overview of the consequences of the European Data Protection Regulation you are dealing with, it is essential that you map your personal data processing.
You must list the most important actions to avoid any sanctions against the rights and freedoms of the persons concerned by your treatments.
- Manage risks
After identifying the processing of personal data that is not respectful of the new regulations of the GDPR, you will have to establish a data protection impact assessment for each of the treatments presenting a risk.
Organize your treatment processes to avoid any complications in the future. A well-crafted process will allow you to intervene more quickly on the data collected, for example if you need to modify one of your data. This will also allow you to limit any security holes.
The final step is to document the compliance, proving all actions and documents produced at each step. These documents require regular updating to avoid any flaws.