The Newest Data Protection Principles in Europe.
Developments in the digital world usually mean that businesses have to adapt – whether economically, technologically, or legally. One of the latest changes encompasses the way organisations use online resources to collect data and their legal obligations is the EU General Data Protection Regulation (GDPR) – a regulation implemented by the EU governing bodies (the European Council, the European Commission and the European Parliament) with the primary goal of unifying and strengthening data protection principles for European Union citizens.
Research shows over three-quarters of business apps lack the ability to guarantee compliance under GDPR. 75% of the apps tracked by researchers failed in areas such as following data portability requirements and deleting personal data within a reasonable timeframe.
Amongst other worrying statistics gathered by the report are the number of companies (11%) whose apps have been signed off whilst laced with malware, a quarter of which have been shared internally, externally or even publicly. Moreover, cloud apps account for 73.5% of data loss prevention violations.
The data collected by the research highlights the increasing number of challenges businesses face when dealing with regulations such as the European Union’s GDPR, especially when trying to incorporate them into complex cloud-based networks which are now an integral part of most companies’ IT infrastructure.
GDPR Overview
Any business that collects, processes or stores data from EU-based individuals is impacted by the GDPR – essentially every company trading in the European Union. The aim of the regulation is to ensure data protection laws across the 28 member countries are up-to-date and standardised, encompassing any ambiguities that have surfaced with the growing popularity of cloud networks and the rise of social media platforms over the last couple of decades since the issuing of the original EU Data Protection Directive in 1995.
International consistency in data protection laws is of particular importance for safeguarding the rights of both individuals and organisations due to the fact that nowadays many businesses operate across borders. The main responsibilities for businesses are set out by the data protection principles under the GDPR, with the most notable addition being the accountability principle. Companies are now required to document any decisions made regarding a processing activity as a way of demonstrating compliance with the principles.
What is included in the GDPR’s principles?
Similarly to the Data Protection Act (DPA), the GDPR’s principles apply to personal data but the difference between the two is in the detail. The new definition is a lot more detailed and takes care to clarify that information from the digital world, such as IP addresses and other online identifiers, can also be classified as personal data. This wider definition is a reflection of technological advancements and changes in the way information about people is gathered by businesses.
Additionally, ‘special categories of personal data’ are referred to by the GDPR as ‘sensitive personal data’ – this mostly includes the same categories as stated in the DPA, with a few minor alterations – for instance, the inclusion of biometric and genetic data processed for the unique identification of an individual.
Who does the GDPR apply to?
The regulations apply to both controllers and processors, where the controller dictates the usage of personal data and the reasoning behind it, and the processor acts on behalf of the controller. Most companies subject to the DPA are now subject to the GDPR – the key difference being in the new obligations put in place for both parties – while processors are now required to keep records of any personal data they deal with and are liable in case of a breach, the GDPR also places an obligation with controllers to ensure their contracts with processors are in compliance with their principles.
A further area worth considering is the regulations around consent – the GDPR refers to both ‘consent’ and ‘explicit consent’. Under the new regulations, both forms of consent require a definitive act of confirmation (silence/activity/pre-ticked boxes do not classify as consent) which can be verified through a record of the when and how it was given.
In Summary
While transparency and accountability have always been an implicit part of data protection law requirements, the principles of the GDPR further emphasise their importance. The new regulation principles include specific provisions to ensure governance and accountability, and companies are expected to enforce definite measures ensuring their principles are adhered to. In some circumstances, good practice tools such as privacy by design and privacy impact assessments are now legal requirements.
Businesses are now required to implement certain organisational and technical measures to demonstrate their consideration and integration of data protection principles (as dictated under the GDPR) in their processing activities. Effectively, these regulations are put in place with the aim to optimise personal data protection and reduce the risk of breaches to a minimum; in practice, this means more procedures and policies for companies to put in place – something that the majority of businesses are already doing anyway.
You can also get in touch with our team today if you need our help developing a realistic business continuity plans as part of your disaster recovery plan.