Contactez-nous Suivez-nous sur Twitter En francais English Language

De la Théorie à la pratique

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN



EU data protection law is passed - additional expert comment

April 2016 by Dr William Priestley, systems engineer at Varonis

Yesterday, the European Parliament passed the final vote for the new General Data Protection Regulation (GDPR). These approved new data protection rules will strengthen online privacy, streamline legislation between the 28 member states and boost police and security cooperation. Notably, the regulation includes tougher penalties for companies in breach of EU data protection law, with fines of up to 4% of global turnover, and a requirement for companies to disclose personal data breaches within 72 hours.

If you are planning on covering this news, please see below for detailed commentary from Dr William Priestley, systems engineer at Varonis: "The GDPR replaces the ageing Data Protection Directive, to address contemporary data consumption paradigms such as: the internet, cloud hosting and big data analytics. Basically, it addresses a Digital Single Market where data is flowing increasingly without boundaries. It also expands the territorial reach of, and therefore protection by, EU Data Protection law to organisations outside of the EU but working with data of EU citizens.

It adopts the “Privacy by Design” school of thought, meaning it will:
• minimise the collection of personal data
• account for where personal data resides
• delete personal data that’s no longer necessary.
• restrict access to only those that need it.
• secure personal data through its entire lifecycle.

It also adopts, by design, accountability for the data, meaning organisations will need:

• to implement technical and organisational measures to properly process personal data (i.e. design comprehensive data governance policies, and introduce technical methods to implement and enforce them)
• in certain circumstances, to nominate a Data Protection Officer
• to provide clear documentation of process
• to conduct Data Protection impact assessments

GDPR legitimately recognises Binding Corporate Rules, allowing intra-group international data transfers, and as such require strict data governance practices in place before approval for a BCR. In the GDPR, a data beach needs to be reported within 72 hours of awareness. Those affected also need to be informed. Infringements, such as data breaches, will result in fines of up to 4% of global revenue (not margin).

What organisations need to start doing now in preparation for the GDPR GDPR won’t come into force immediately, but is looking likely to be effective within 2018. Before then, organisations will need to have in place all the governance policies, incidence response plans and technical framework within which to affect compliance before then.

From an IT/digital perspective, these include:

o Prepare for Data Security Breaches and have an incident response plan. (Ideally detect and alert on data breach activity and prevent it. In the event of a breach, be able to provide forensic analysis of what data was affected by the breach and when it occurred and provide this information to the Data Protection Authorities and affected individuals accordingly)
o Establish a framework for accountability within the business (who owns the data, who are the data processors, train staff down the reporting line to understand their obligations etc).
o Embrace privacy by design in the business culture (restrict access to data, track the data’s lifecycle activity, retire the data when it is no longer needed)."

See previous articles


See next articles