GDPR (Regulation EU № 2016/679) was adopted on 8 April 2016 and replaces the EU Data Protection Directive. GDPR aims to protect individuals from unauthorized use of their personal information from companies and to be easy for data controllers around the world to follow. The Regulation will be applicable to all EU Member States and will come into force on 25 May 2018.
6 principles relating to processing of personal data (Article 5, Chapter II):
1. Lawfulness, fairness and transparency. Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject;
2. Purpose limitation. Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
3. Data minimization. Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
4. Accuracy. Personal data shall be accurate and, where necessary, kept up to date;
5. Storage limitation. Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
6. Integrity and confidentiality. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
In order to comply with the General Data Protection Regulation, companies should:
- Ensure that consent has been obtained on handling personal data, and that it can be proven;
- Conduct a Data Protection Impact Assessment to identify the most effective way to comply with data protection obligations and individuals’ expectations;
- Identify and notify their supervising Data Protection Authority;
- Maintain records of processing activities;
- Appoint or hire a Data Protection Officer (DPO), who will supervise compliance and data protection strategies;
- Prepare to report data breaches within 72 hours, if necessary.
General Data Protection Regulation can be implemented with an effective and updated Cyber Security Management Plan, for both data protection and protection against cyber attacks.