Tuesday 8th August 2017
What is the GDPR?
The General Data Protection Regulation (GDPR) has been designed to protect the rights, privacy and freedoms of natural persons in the European Union and to enable individuals to better control their personal data. The GDPR has been developed by the European Union Commission as a single, pan-European law that operates above and supersedes other (national) laws and the Data Protection Directive. The GDPR will require all data controllers[1] and data processors[2] that handle the personal information of EU residents to “implement appropriate technical and organisational measures […] to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services”. The Regulation will be enforceable from 25 May 2018.
The Regulation requires organisations to put in place a compliance framework which ensures they are implementing appropriate technical and organisational measures to ensure that processing of personal data is performed in compliance with the GDPR. “Processing” is essentially anything done to the data, including storage. “Personal data” means any information relating to an identified or identifiable natural person.
How can ISO27001 help organisations comply with the GDPR?
The Regulation states that having a recognised information security certification, such as ISO27001, will be a good way for an organisation to demonstrate that it protects its information assets using best-practice information security measures.
Will the Regulation continue to apply when Britain leaves the European Union?
Any organisation anywhere in the world that provides services into the EU that involve processing the data of EU citizens will have to comply with the GDPR. Any organisation that wishes to sell its goods or services to EU-based citizens or organisations is therefore likely to need to continue to comply after Britain leaves the European Union. In addition, the UK Government has recently announced plans to introduce a new UK Data Protection Bill, which will align with the GDPR.
What are the penalties for failure to comply?
Failure to comply with the GDPR can result in fines for organisations of up to 20 million euros (£17m) or 4% of annual global turnover, whichever is the greatest.
___________________________________________________________
[1] ‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
[2] ‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. An organisation can be both a controller and a processor.