The draft EU General Data Protection Regulation aims to totally reform data protection legislation throughout Europe in an effort to improve online privacy rights and boost the digital economy. Currently known as the EU Data Protection Directive, the EU General Data Protection Regulation will be immediately binding in all of the EU member states when it comes into force. This is the second article on this topic. The first was published here.
Who will be responsible for data protection in an organisation under the new draft regulation?
According to the proposed regulation, a data protection officer must be appointed in companies of a certain size (likely to be more than 250 employees) in order to accept the risk and take responsibility for the organisation’s legal obligations. It is important to note, though, that all employees are responsible for data protection – from the HR department through to the administrative staff who might dispose of data in the incorrect manner. Data protection is not just an IT issue – it is a people issue.
How will personal data be categorised?
Personally identifiable information (PII) is usually considered to be either personal or sensitive information, the latter holding more restrictions than personal data. Under the proposed regulation, there are additional categories that will require additional restrictions, such as children’s data (under 18) and employee data.
How do you get started?
The first step is to conduct an analysis of the current PII that you already have in your possession. This means conducting a thorough investigation into the types of data you hold manually (i.e. printed copies of employee records) and electronically.
The next step is to assess the policies that are being applied and enforced in your organisation, such as the encryption of data, the shredding of documents, etc.
Another element of the assessment is to establish whether your staff awareness and training policies are adequate to inform your employees about what is right and what is wrong. Too often, companies are caught off guard because their employees were not aware of the data protection policies and procedures. Another aspect to consider is whether you have the right confidentiality clauses in place with contractors who might be processing any data that you hold.
A critical step that is often overlooked is to conduct a detailed assessment of your information security system to establish whether you have the right policies, procedures and infrastructure to protect your company from a data breach.
Where can you get help?
IT Governance can provide detailed assessments of your data protection regime to ensure you are on track to start adopting the new regulation when it comes into force. Contact our Data Protection consultancy team to see how they can help you today. https://www.itgovernance.co.uk/dpa-compliance-consultancy.aspx
Keep up-to-date of the latest developments in the EU data protection reforms and remain updated about the implications to the UK Data Protection Act on this page