Once published there will then be a two-year period for every organisation that does business in, or with, the EU to comply with the regulation. And, since it is a regulation, not a directive, compliance is mandatory, without the need for each member state to ratify it into its own legislation.
The GDPR expands the scope of data protection so that anyone or any organisation that collects and processes information related to EU citizens must comply with it, no matter where they are based or the data is stored. Cloud storage is no exception.
The definition of personal data has also been expanded. It states that personal data includes information from which a person could be identified, either directly or indirectly. Under the new definition, identifiers such as IP addresses and cookies are included as personal information.
The GDPR introduces mandatory breach notification unless the breach is unlikely to result in a risk to the rights and freedoms of the data subjects concerned.
According to Tankard, one particularly onerous demand in the new regulation is that organisations suffering a data breach must notify data protection authorities within 72 hours of its discovery.
Sanctions for non-compliance with the regulation have not only been made uniform, but they have been increased considerably. For a minor breach, organisations can be fined up to 2% of their worldwide revenue or 10 million Euros, whichever is higher, although a warning can be given for first offences.
For more serious violations, fines of up to 4% of worldwide revenues can be imposed or 20 million Euros, whichever is higher.
“Two years may seem a fair amount of time to prepare, but it will pass quickly,” says Tankard. “The time to start preparing is now,” he adds.
According to law firm Baker & McKenzie there are five initial steps to make before considering measures to take to achieve compliance. These are:
.Assess whether or not you will fall within the scope of the GDPR
.Understand the new compliance obligations, decide how to comply with them and assess their operational impact
.Identify new responsibilities and risks and consider how to address those risks
.Understand the market, in particular what data controllers will require from processors moving forward and what your competitors will be willing/not willing to agree to vis-à-vis data controllers
.Devise a strategy for negotiating processing agreements.
After years of wrangling, the GDPR is now a fact and compliance deadlines are looming.
Tankard adds, “The time to start preparing is now. In fact, Digital Pathways have been promoting technologies that link access control to encryption for over 20 years. Organisations need to ensure that they are not caught out and face sanctions for non-compliance. With the right precautions in place, organisations should have little to fear. The time and effort required to achieve compliance will vary greatly from one organisation to another, but it is well worth the effort”.