Getting Ready For New EU Data Protection Legislation In 2018

Data Protection

With Big Data, artificial intelligence (AI) and machine learning becoming widespread, there are major implications for privacy and data protection – especially in the case of personal data. The General Data Privacy Regulation (GDPR) comes into force across all EU member states on the 25 May 2018, requiring organisations’ compliance from day one. This is an overhaul of the current Data Protection Act to cover biometrics and genetic data, bringing the regulatory environment up to date in relation to Big Data.

Transparency & Accountability

The new Regulation is designed to promote and facilitate data-sharing by putting in place appropriate principles and safeguards that protect individuals’ privacy and ensure that cyber security is maintained. Transparency and accountability are key, with extra levels of transparency for individuals around how their data is used and processed, and more rights for people who have questions about their own data.

New best practice will be to combine encryption with the anonymisation of Big Data to safeguard personal details and protect against their misuse. A new code from the Information Commissioner’s Office describes the steps that organisations can take to ensure that anonymisation is conducted effectively while still retaining useful data.

Roadmap For Compliance

Based on the Information Commissioner’s Office best practice, organisations will need to consider the following critical questions as they prepare for GDPR:

  • Do you know what personal information you hold, and on which system it resides?
  • How will the ‘right to be forgotten’ impact your organisation?
  • Will data portability have an impact?
  • Do you have a Data Protection Officer that reports at board level?
  • Do you have complaints from the ICO and undertake root cause analysis on each case?
  • Are all your Data Privacy policies updated on a regular basis?
  • Do you delete personal information in line with a retention schedule?
  • Are your models for obtaining consent in line with GDPR requirements?
  • How would a GDPR fine of up to €20 million affect your organisation?

Specialists can undertake a detailed Data Protection Act gap analysis for organisations against their current provisions, with improvements and areas of good practice highlighted. These then map to GDPR provisions to identify high-risk areas that need extra focus in the run-up to implementation and to develop a practical, prioritised roadmap for this important area of compliance.

With these preparations in place, organisations can confidently state that they have mitigated the risks associated with the new Regulation, and can ensure data protection is built into data and analytics projects from the start. If followed correctly, the Regulation won’t hinder the use of data; it will enable its wider use by helping organisations to address any risk and ensure the transparency and security of data that is needed in the digital age.

Deborah Dillon

Deborah Dillon is Lead Auditor, Business & Platform Solution for Atos UK&I. She specialises in Information Governance, including the application and implementation of Data Protection processes and procedures across a wide range of organisational areas. She is a BSI accredited ISO 27001/2 Lead Auditor.