The European Parliament has adopted new personal data protection regulation. This must be implemented in all organisations by end of May 2018, and applies also to EEA countries. The new rules mean increased responsibility for businesses and public administration, substantially higher penalties for violations, and a greater focus on control and compliance with the legislation. In practice, this means that all EU and EEA countries will have new personal data protection regulations, which come into effect during spring 2018.
Politicians anticipate that the regulation will reduce the differences between European countries. The EU is aiming for greater harmonisation: in this case, equal levels of personal data protection throughout the EU and EEA. This may result in the supervisory authorities being harmonised to a greater extent. Practices currently differ substantially between countries, and also in different sectors. An international company that violates the rules in a particular country could, in future, be subject to a fine by the supervisory authority in the company's home country. The new European Parliament's adoption of the new personal data protection regulation is just one of the EU's strategies for digitizing Europe. A Europe with a conglomerate of systems and practices in which technology for much of the way has run from current regulatory practices and limping procedures. It's time to make a change.
What is new in the regulation?
The new rules will place greater obligations on organisations, but will also make it easier to know how to process personal data legally and well. The regulation also reduces the differences between the countries, which will make it easier for organisations to process personal data across national borders within Europe. The new rules apply not just to organisations in Europe, but also to companies outside of Europe offering goods and services to European citizens.
From the point of view of organisational management, this brings greater responsibility and the need to improve procedures relating to the exercising of personal data protection. The EU regulation requires organisations that store or use personal data to have a conscious attitude to, and be able to answer, the following questions:
- What personal data are stored and for what purpose?
- Which of the organisation's data must be marked as sensitive personal data?
- Who is the data processor responsible for personal data?
- What agreements have been concluded with data processor subcontractors?
- How are sensitive personal data used and transferred in systems?
- Is personal data secure and protected from external and internal hacking?
- What are the consequences for personal data in the event of an external security breach?
Solution concept for smooth implementation
Many private and public organisations are uncertain about what this will mean in practice. How extensive the change will be, and which practice should they apply? To meet these challenges, legal firm Føyen Torkildsen and SAS Institute have developed an international business concept to help organisations meet the requirements of the new regulation effectively.
Føyen Torkildsen delivers legal and corporate expertise, and SAS Institute delivers an advanced analytical and data integration platform to streamline the work involved in the change. The concept builds on experience of similar projects and the deliveries consist of advice and tailored IT support to chart and document deviations from current practice and the requirements in the new personal data protection regulation. The concept will also offer the organisation insight into alternatives and what should be in place to secure that progress is adequate before the changes come into effect in May 2018.
Accelerators for effective implementation
We believe that if organisations focus on primary activities that are critical in our experience, this will result in smooth implementation. These activities will initially be data mapping including data source analysis, data-flow analysis, logging, monitoring and management of users and access rights. This will be followed by updating important operating procedures such as incident analysis, administration of guidelines, audits and putting in place an adequate audit trail.
In order for organisations to kick-start on the practical work, we have prepared a set of "accelerators" to streamline the work and provide an overview of areas in which the organisations must invest and prioritise. These accelerators will help users to:
- Analyse personal data protection consequences when implementing the new regulation
- Get an overview and perform risk assessments in regard to systems
- Operationalise and administer checklists
- Establish security targets and security strategies
- Monitor and ensure life cycle tracking of guidelines
- Administer processing of incidents
The accelerators combine best practice with secure processing of information, and closely link the advisory services to functionality in the SAS system. The accelerators have self-configured features, similar to preconfigured software, which connect to the organisation's computer systems and IT processes.
The primary task of the accelerators is to help the organisation make very specific assessments of the consequences of personal data protection by producing overviews of systems and related risk. With the help of the accelerators, the organisation can also implement procedures that provide overviews of the desired controls and monitoring procedures. It also gives the organisations operational tools for administration and life cycle tracking of guidelines. Supports the implementation of standardised processes and procedures for processing, and administration of incidents and risk.
At the beginning of this article, I mentioned that the new regulation will place greater obligations on organisations, but it will also make it easier to understand how to process personal data legally and according to best practice.
If you are interested in learning more about the SAS Solution for Personal Data Protection, you can read more here.