Getting ready for GDPRMarch 27th, 2018
From a compliance perspective, the General Data Protection Regulation (GDPR) is a key focus area for businesses. This regulation was first introduced in January 2012 and will go live on May 25, 2018.
Refined by input from the European Council, European Parliament and European Commission, the GDPR, unlike a directive, will be directly applicable in all member states without any legislative requirements by individual governments.
To Whom Does the GDPR Apply?
The GDPR represents the most prominent change in data privacy regulations in the past two decades. Given that we’ve witnessed the fast growth of data storing and processing capabilities during this period, it is the logical next step for updating the privacy and security standards for data governance.
The GDPR applies to all companies (Data Controllers) that conduct business with European Union (EU) residents (Data Subjects) and collect, store and process their data. This covers data collected from every device used by residents of the EU. This passes a huge responsibility onto the Data Controllers to ensure compliance with the new regulation.
Although these days most Data Controllers use another company (Data Processor) to process data from end users, the current data protection directive, officially known as Directive 95/46/EC, applies only to Data Controllers; Data Processors have no liabilities toward such directives. The GDPR will bring a big change in this respect, since it requires both Data Controllers and Data Processors to share the scope of the regulation. Noncompliance may result in severe penalties of up to 4 percent of the company’s global revenue, and that doesn’t include the risk and cost of reputation loss.
Power to the People
The primary objectives of the GDPR are to give EU residents control of their personal data and to simplify the regulatory environment for international business by unifying the standard within the EU. Major changes include:
A broadened scope of personally identifiable information (PII), which limits what the Data Collectors and Data Processors can collect and process;
Restricted access to data collected by Data Controllers and/or Data Processors, which will allow data subjects to know what data is being collected by whom and why;
Increased control of cross-border data transfers;
The right not to be profiled and the right to object to processing, which now explicitly includes the right to object to profiling;
Higher standards that require explicit, not implied, consent;
Enhanced right to request the erasure of data; and
The right to transfer data to another organization (portability), since data controllers must support the transfer of structured and/or raw data to another organization if requested by the data subject.
Building a GDPR Readiness Plan with ADSI MDM.
Call us to discuss how MDM (Mobile Device Management) solution can help you comply with GDPR – 01268 495555
To facilitate the rights to EU residents, Data Controllers and Processors will have to create and implement a GDPR readiness plan before May 25, 2018. Beyond facilitating the rights of Data Subjects outlined above, the GDPR readiness plan should include:
Minimal data collection, limited to the bare minimum that is required to perform the processing;
Documented data privacy and security practices to define standards for accountability, and demonstrate and maintain compliance;
Advanced training and workshops for employees to gain complete understanding of the new regulation;
Privacy by design principles to ensure best practices for data governance through its life cycle; and
Privacy assessments and gap analysis to evaluate the current state with respect to compliance standards and key areas for process improvement.
With increasing data flowing through smartphones, tablets and laptop devices, expect this regulation to govern those data collection, storage and processing practices. Compared to traditional software, it is relatively easy to assess GDPR compliance with a MDM solution: Since users are employees, their data is already stored in many other applications. But there are quite a few functional complexities to be addressed, including:
The possibility of capturing PII from a user’s device, many of which are corporate devices that employees use for personal activities;
Segregating corporate data from a variety of personal data such as location, multimedia and app data;
Maintaining data security on the device as well as the network.
As an industry-leading MDM solution, ADSI MDM is committed to establishing best-in-class security, privacy and transparency measures that are compliant with regulatory requirements and best practices.
ADSI MDM is available from £2.49 per device, per month