The upcoming General Data Protection Regulation (GDPR), which will come into force from May 25th, 2018, is big on data security. This is not surprising given the express purpose of the new regulation is to protect EU citizens and give them control over personal data through a unified set of standards.
Here’s what you need to know about GDPR and data security:
You must ensure high processing standards
GDPR says that data controllers must only use processors that, to meet GDPR requirements and protect customers’ data, provide ‘sufficient guarantees to implement appropriate technical and organizational measures’. There is more specific advice as to what this should entail, such as ensuring that personal data is pseudonymised and encrypted and that personal data can still be accessed in the event of an incident – physical or technical. You must also restore availability and access in a ‘timely manner’, and have a process for testing security measures.
Data breaches must be reported
When customer data has been breached – loss, alteration, destruction, theft etc – then GDPR requires you to notify the relevant ‘supervisory authority’. This must be done within 72 hours. You must also inform your customer, unless you have been able to ‘render the data unintelligible to any person who is not authorized to access it.’ Which, in English, means you don’t need to inform customers of a breach of their data if there is no threat of the data being used by others.
Much of the language on data security in GDPR is ambiguous. For instance there is no clarification of what exactly the ‘supervisory authority’ mentioned above is, so it may be that you must inform more than one authority in the event of a breach. There is plenty more of this type of language – such as ‘timely manner’ – in GDPR and it seem likely that things will only become clear in practice after the legislation comes into force. So, the best advice is to err on the side of caution and do all you think you have to do – and more – to ensure compliance.
• You must have high standards for data processing
• You must report any data breaches
• You must be cautious and careful, as there’s a lot of ambiguous language in GDPR about data security