The New European Union (EU) Data Protection Regulations & Procedures

Written by CISOSHARE

January 30, 2017

25 min read

The objective of this document is to give a high-level overview of the new rules and regulations surrounding the newly passed European Union (EU) General Data Protection Regulation (GDPR).

This new regulation is replacing the 20-year-old directive (95/46/EC).

All Companies Must be in Compliance with EU’s General Data Protection Regulation 

Keep in mind, by May 25, 2018, companies not in regulation or have a data breach while not in compliance will be fined up to 20,000,000 EUR or 4% of the total worldwide annual turnover of the preceding year whatever one is higher.

The GDPR does not only require EU companies to be in regulation, but it also requires any business holding data about any EU resident worldwide to follow this regulation, this regulation protects even people in the EU that are not citizens. A company employing vendors must ensure the vendors are within regulation or both will be fined.

And the Privacy Shield Certification no longer brings your business into compliance with the new GDPR.

The New EU Data Protection Regulations

  • Even if sharing is allowed the new EU regulation prohibits personal data from being transferred outside the European Economic Area (EEA); Unless the data controller assures an adequate level of privacy protection. Ensure that if data is being stored on a cloud network that data is not being sent and stored in a foreign location or moved between facilities, this will result in a violation. Encrypting data before entering the cloud can protect you, showing that the controller took the necessary steps to “meet the individual’s reasonable expectations of data privacy” in the case of data loss.
  • Each company (or corporate group) will have one national Data Protection Agency (DPA) as its lead regulator to ensure they are in compliance. The head DPA will be required to communicate with other DPAs whose citizens are affected. Most importantly, the Regulation creates an entirely new super-regulator in the form of the European Data Protection Board. The European Data Protection Board will give guidance and will oversee resolving arguments among the national DPAs.
  • There are two new categories of data, genetic and biometric data. These categories fall under “sensitive” or “special” classifications, and they include personal data such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, data concerning health or sex life, and sexual orientation. But pseudonymized data remains personal data and is viewed as a highly-recommended risk reduction technique.
  • Consent is not valid in a contract if the data owner is required to give consent to use his or her personal data that is not necessary for the use of the contract/service. This will have a significant impact on “free” apps and other services that rely on using users’ data to pay for the costs of providing the app/service. Different types of data require separate types of consent.
  • Companies have 72 hours to report a data breach to DPA unless the data controller can demonstrate “that the personal data breach is unlikely to result in a risk for the rights and freedoms of individuals.” Individuals must be informed that their data has been compromised “without undue delay if the personal data breach is likely to result in a high risk” to their “rights and freedoms.”
  • Having and enforcing internal data protection policies and procedures is a requirement, companies may need to present this information in the event of an incident. And all data breaches and following investigations must be documented.
  • Companies must appoint a Data Protection Officer if their primary activity is processing operations that require regular monitoring of data on a large scale. Or if it consists of processing large groups of data that fall under a special category of data such as “data relating to criminal convictions and offenses.”
  • People can now request that his or her data be erased if:
    • The data is no longer useful or being used in the matter that it was originally collected for.
    • If the information owner has withdrawn his or her consent.
    • If the person objects to the collection or processing of his or her personal data.
    • Or if the organization processing personal data is not in compliance with (GDPR).

How Does the New EU Data Protection Regulation Impact Companies?

For companies holding information about individuals that may reside or be citizens of EU, this new directive will directly affect the information security side of the business. Their vendors as well as them self must be in compliance or will obtain substantial fees in the event of a data breach. Policies and procedures need to be updated to match the regulations and required procedures of the new regulations and ensure processes are taking place.

Start your 2021 security projects early.