EU General Data Protection Regulation

Background and Scope

A new EU data protection framework will take effect on May 25, 2018, that supersedes all prior regulations. The General Data Protection Regulation (http://www.eugdpr.org/) (GDPR) will replace the current directive 95/46/EC and will be applicable in all Member States. In its simplest form, GDPR is intended to strengthen and unify data protection regulations for individuals within the European Union (EU).

Servicengine recently published a Security Management and Strategy whitepaper with a detailed plan and approach to help our clients meet the compliance deadline. The document highlights the most significant aspects of GDPR, such as extending jurisdiction to companies outside the EU and the potential for substantial financial penalties. All of our clients doing business in the EU should be aware of the most critical requirements of the GDPR:

  • Responsibility and Accountability – Businesses are responsible for protecting the personal data within their control
  • Data Protection by Design– Security must be inherent and incorporated into the system design
  • Consent – Valid consent must be received to collect personal data
  • Pseudonymization – Personal data should be obfuscated or encrypted and the keys stored separate to the data
  • Recording – Records must be maintained for all processing activity involving personal information
  • Data Portability – Individuals can have their personal data transferred from one system to another
  • Right to Erasure – Under certain circumstances, individuals can require that personal data be permanently deleted
  • Notification – In the event of a breach, data controllers are required to notify the Supervisory Authority without delay

These are fundamental elements of the regulation’s purposeful treatment of personally identifiable (PI) data:

  • Controlling the processing and distribution
  • Restricting the collection and storage
  • Transparency on management and usage
  • Limiting the storage duration to a specific amount of time
  • Allowing corrections or the request to be deleted
  • Certifying the protection by use of acceptable security methods

Similar Posts