The General Data Protection Regulation (GDPR) was approved by the European Parliament on 14 April 2016 and replaced European Directive 95/46/EC. The Data Protection Act 2018 (SI No. 7 of 2018) was signed into law on 24 May 2018, to coincide with the coming into effect of Regulation (EU) 2016/679 (GDPR). The Act implements derogations permitted under the GDPR and represents a major overhaul of the regulatory and enforcement framework.
The General Data Protection Regulation introduces new data protection requirements. For example, it requires businesses to:
- implement strict technical and organisational security measures, including pseudonymisation and data encryption;
- notify data breaches to the relevant data protection authority within 72 hours. In certain circumstances the breach will also have to be notified to the affected data subjects;
- appoint a data protection officer in certain circumstances (e.g. for companies processing sensitive data on a large scale or for those that collect consumer information);
- conduct privacy impact assessments before carrying out high-risk data processing;
- build in privacy by design when processing personal data.
Companies now need to adopt a holistic approach to data governance.
Under the General Data Protection Regulation companies are responsible for the data they collect, including if they transfer this to third parties to be processed. Companies need to ask themselves the five ‘W’s of data:
- Whose data is it?
- Why are we processing it?
- Where is it kept or transferred?
- When are we keeping it until?
- What safeguarding mechanisms do we have in place?
Sometimes it’s necessary to keep data for long period of times – for legal or auditing purposes or for medical records – and in those cases you must implement the appropriate retention policy that specifies the ‘shelf-life’ of the data.
One way of managing the security of data is by implementing and being certified to ISO 27001:2013, the information security management system standard. ISO 27001 facilitates the implementation of a robust and systematic approach to managing information, thereby protecting the organisation’s reputation.
The standard helps businesses to become more resilient and responsive to threats to information security. It helps keep the company secure so it can focus on doing “business as usual” whilst clearly showing clients and suppliers its commitment to protecting information.
ISO 27001 cans assist companies with the requirements of GDPR by:
- Safeguarding the accuracy and completeness of assets;
- Ensuring that information is not made available or disclosed to unauthorised individuals, entities or processes;
- Being accessible and usable upon demand by an authorised entity
However, ISO 27001 has a broader scope than GDPR while the latter also covers several areas that ISO 27001 doesn’t, such as the right to be forgotten, data portability and the right to be informed about one’s personal data.