With the final stages of negotiations regarding the General Data Protection Regulation in full swing, experts believe there is a chance that the Regulation may be adopted by December of this year.
“The shared ambition is to reach a final agreement by the end of 2015,” the European Commission said in an earlier statement.
Whether the December milestone will be achieved remains to be seen, given the sensitivity of this stage of the negotiations, especially regarding the ‘one-stop shop’ approach. The latest draft proposes that the one-stop shop only applies in important transnational cases, with all interested data protection authorities having the right to be consulted and participate in joint operations.
The GDPR will come into force two years after the date of publication. The Data Protection Directive (95/46/EC) will be repealed when the final GDPR is officially published, but will still remain in force until the GDPR comes into force.
Let’s take a quick recap of what the GDPR proposes:
- Data breach fines remain significant
The draft Regulation proposes fines of 2% of turnover or €1 million, whichever is the highest.
- Non-EU businesses may have to comply with the Regulation
- A broader definition of personal data will apply
The draft Regulation proposes that data privacy should encompass other factors that could be used to identify an individual, such as the genetic, mental, economic, cultural or social identity of an individual.
- Unambiguous consent must be sought from data subjects
- The appointment of a data protection officer (DPO)
The latest draft regulation alludes to the voluntary appointment of a DPO unless required under EU law or that of member states
- The introduction of mandatory privacy risk impact assessments
A risk-based approach must be adopted before undertaking higher-risk personal data processing activities.
- The introduction of data breach notification regulations
The draft proposes that processors alert and inform controllers within 72 hours of a data breach, placing a greater emphasis on supply chain data security.
- The right to be forgotten
The draft proposes that data subjects should have the ‘right to be forgotten’.
- The international transfer of data
Since the Regulation will also be applicable to processors, organisations should be aware of the risk of transferring data to countries that are not part of the EU.
- Data portability
Data portability is still a hotly debated subject, with many questioning how practical the proposed requirements for portability are. Data portability will allow a user to request a copy of personal data in a format usable by them and electronically transmissible to another processing system.
- Privacy by design
It has been proposed that controllers must implement appropriate measures to ensure that processing protects the rights of the data subject, that only the minimum personal data will be processed, and that the data is not disclosed more widely than necessary.
Businesses cannot wait to get their data security houses in order. ISO 27001, the international standard for information security, offers a framework for the implementation of an information security management system that protects, manages and maintains information and data security.
An ISO 27001 Gap Analysis provides a high-level view of an organisation’s information security regime against the requirements of the international framework, ISO 27001. A gap analysis will enable you to understand what is required to comply with the Standard, and provides an approximate breakdown of the costs, activities and timeframe needed to achieve ISO 27001 certification.
Find out more about ISO 27001 now, or contact us on +44 845-070-1750.