Tuesday, November 29, 2016

New European Data Privacy and Security Rules (GDPR)

The newly launched GDPR Wiki site offers a plethora of information on these pending rules:
  • "Coming to you in May 2018, the GDPR is the most significant development in data protection that Europe, possibly the world, has seen over the past twenty years and therefore unsurprisingly is designed to better take into account modern technologies, the way we work with them today and are likely to work in the future. In addition, there is a much greater emphasis on compliance following a widely held belief that business had not taken data privacy seriously enough previously. As a consequence, penalties are considerably harsher and the compliance requirements are intended to spread a far wider net to include small and medium businesses."
This initiative is resource delivered by Tim Hyman, former IT director of law firms including Reed Smith and Taylor Wessing.

The site has published and distributes several resources, including: "The Essential Guide to GDPR" --
  • "Following recent presentations on the potential impact of GDPR at a number of global law firms and a presentation to the Institute of Barristers Clerks, I have been asked to compile a guide as to the basic principles of GDPR, how they may impact technology systems and which software tools/vendors could assist with compliance... The solution providers that appear in the guide are those that have come forward and described how their solutions can help businesses looking to get GDPR compliant."
    1. (‘lawfulness, fairness and transparency’) processed lawfully, fairly and in a transparent manner in relation to the data subject
    2. (‘purpose limitation’) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
    3. (‘data minimisation’) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
    4. (‘accuracy’) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
    5. (‘storage limitation’) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
    6. (‘integrity and confidentiality’) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss destruction or damage, using appropriate technical or organisational measures."
As further context on the topic, Wikipedia offers:
  • "The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a Regulation by which the European Commission intends to strengthen and unify data protection for individuals within the European Union (EU). It also addresses export of personal data outside the EU. The Commission's primary objectives of the GDPR are to give citizens back the control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.[1] When the GDPR takes effect it will replace the data protection directive (officially Directive 95/46/EC) [2] from 1995."
And Dell sponsored a third-party survey on these new rules. The report highlights the state of response from the general corporate sector (short version: likely lacking).

Is your firm ready? Or getting ready to be ready? May 2018 will come sooner than we think... And it looks like, on the compliance side, firms are already planning their GDPR litigation offerings.

No comments:

Post a Comment