/ Katherine Gribok

A Three-Dimensional Look at Data Protection Regulation

The data protection is going to change next year with the new General Data Protection Regulation (GDPR) coming into force. Businesses try to find out how this may affect them and what to do next. It can be a very tricky task to understand all the intricacies on your own.

The new rules will apply to all those in the EU who control data and/or undertake data processing. Moreover, non-EU businesses doing business in the EU will also be affected. Increased enforcement will come about with the new regime, backed up by greater sanctions. We are discussing the upcoming changes with Sigma Software expert, Katherine Gribok.

The General Data Protection Regulation (GDPR) comes into force on 25 May 2018. Information Commissioner Elizabeth Denham describes the implications as "the biggest change to data protection law for a generation." How will it impact the current status rerum, what should businesses expect?

The new regulation passes the management power to the hands of a personal data holder (in words of GDPR – Data Controller, a company that collects PD). Businesses should be ready to face new challenges and bear new responsibility ensuring correct collection and processing of PD, proper transferring it outside EU, be ready to answer questions from any EU citizen such as: “What my personal data you process?”, “Remind me when I gave you permission to use my data?”, etc.

This means organizations must know how to gather, store, process, and transfer databases in the correct way, who and on what conditions may access them, ensure their new products and solutions can face these new requirements.

Why is it of such great importance? What are possible consequences for non-compliant businesses?

This Law contains many requirements that businesses must meet: gather data in a predefined way, pass them for processing to non-EU countries only under certain circumstances, answer the requests of data holders within one month strictly, etc. The violation leads to serious consequences: if personal data is disclosed or lost, the fines will start from 20 million Euro or 4% of the global annual revenue of a business (whichever is greater).

Data Protection Regulation

Many countries already have own legislation regarding Data Protection. How GDPR will influence these legislations?

GDPR will be obligatory for all EU countries and will replace the local laws. Still it often refers to these laws paragraphs in respect of labor legislation, children rights, and more.

What are the main steps to get ready for the new GDPR?

First, you should understand what kind of personal data you deal with: employees data, candidates, customers data, or else. Then, take a close look at legislation, analyze if every database, depending of its type, actually meets the GDPR requirements. Elaborate a roadmap for improvements and bring them to life before the “D-Day”, May 25, 2018. If the company has offices or distributed teams in non-EU countries, special programs ensuring security for data processing should be implemented there, and people should know how to work with them.

How will GDPR change outsourcing?

The new regulation will require both Customer and Outsourcer to introduce a number of additional measures regarding personal data protection. Customer should ensure that personal data is collected legally and for a specific purpose. Outsourcer should process PD for the specified purpose only.

The new regulation is not a barrier for outsourcing companies, of course. They just have to be aware of all requirements and restrictions the new regulation brings, and follow the rules – that`s it.

The new regulation, does it influence software products somehow?

Yes, GDPR imposes requirements on the products themselves. Therefore, in cases when a SW product processes PD (for example, products for CVs management, employees data management), the client will need a GDPR expert to recommend changes in the product to make it compliant with the regulation.

How can Sigma Software help in preparations?

As many of our Customers have already granted access to our teams to their PD DBs, we faced the necessity to gain expertise in GDPR. Our Quality Management Department studied GDPR in detail and elaborated a dedicated program to get ready for the new GDP regulation that proved to be very effective: we manage the list of all projects where our teams have access to EC PD, these teams get appropriate awareness and skills in data processing and security engineering.

It often happens that businesses take a flat view at personal data protection, focusing on legal aspect only. Meanwhile, it can result in serious issues, since this question is much deeper that one may think. General Data Protection Regulation should be looked upon from three dimensions: legal, organizational, and technical. The legal view always remain the responsibility of Data Controllers, that is our Customers, though we can advise on steps to be taken to ensure the legal part is done without violations. In fact, Data Controller have to make sure that Data Subject gave consent for gathering his PD; the consent obtained from parents when it comes to collecting kids personal data; no data of special category (about the origin, political views, religion, biometric data) collected as PD, etc.

Process organization, when you work with collected data, is just as important. Holding regular trainings with employees, who work with data, signing all necessary non-disclosure documents, handling security issues, and thinking out the correct ways of access providing, ensuring timely backups, and much more – we have implemented these principles in own daily work, and thus we know how to build safe processes at the Customer`s side.

Great attention should be paid to the technical security of products that process personal data. It`s not a matter of choice anymore, it should be followed without any exceptions. Applications and solutions that deal with personal data must contain functionality for collecting and storing Data Subjects consents, include features that allow deleting personal data in case of Data Subject request, be able to resist hacker attacks and other illegal actions.

This comprehensive approach, when all aspects of working with Personal Data are covered, ensures businesses being fully prepared for the upcoming changes.

Katherine
Gribok