The General Data Protection Regulation (GDPR) has now been adopted across the EU and will be enforceable from 25th May 2018. The GDPR is directly binding and applicable as, unlike the Data Protection Directive from 1995 that it replaces, it does not require any enabling legislation to be passed by national governments.
Irrespective of whether or not the UK is a member of the EU, if you or your company currently process, or at some point in the future may process, data of EU residents it is imperative that you have systems in place to correctly handle this data as the GDPR will also apply to organisations outside the EU who process data on EU citizens. It will also, therefore, be important for companies to be able to prove that they have the correct systems in place with adequate audit trails and possibly evidential management of data and the data lifecycle.
Before you decide that you are not handling data relevant to the GDPR, note that according to the European Commission "personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address." (European Commission’s press release announcing the proposed comprehensive reform of data protection rules. 25/01/2012).
Police forces and the criminal justice sector, please note that the GDPR will not apply to national security activities or law enforcement, but a Data Protection Directive included in the data protection reform does lay out robust rules on personal data exchanges at national, European and international level. It is stated that police forces and the criminal justice sector “will ensure that the data of victims, witnesses, and suspects of crimes, are duly protected in the context of a criminal investigation or a law enforcement action”. The GDPR also lays out obligations for data controllers to only engage data processors that provide “sufficient guarantees to implement appropriate technical and organisational measures” to meet its requirements and suitably protect data subjects’ rights.
Other key points that are worth highlighting in the GDPR are:
- companies are expected to be able to restore the availability and access to data in a “timely manner in the event of a physical or technical incident”.
- companies are expected to have a process for “regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing”.
If you are not sure how you or your company may be affected Mercia Solutions can offer a consultation and a variety of solutions to help you ensure that you operate in accordance with the new regulations and avoid the increased fines imposed by regulators (starting at €10 million).
Will you be affected?
- Do you have SOC officers collecting data such as fingerprints and/or victim photos?
- Are the data collection memory cards used being forensically wiped?
- Are there controls in place to restrict who has access to the memory cards at all times?
- Who has access to data on memory cards?
- Are cards left unattended at any time?
- Are evidential processes in place to prove security of data?