The General Data Protection Regulation (GDPR), EU’s new regulation for data protection will become effective from 25 May 2018. The GDPR applies to the handling of personal identification information of EU citizens. It not only applies to the organizations in EU, but also to the organizations, out of EU, processing and keeping above mentioned personal data. It will have huge impact on many organizations’ operation.
A company out of EU without business intended for EU customers may also unintentionally get involved with business activities subject to GDPR. The local organizations are encouraged to have a full and serious review on its practice in the handling of personal data in its business operation. Significant changes may be necessary to the operation related to personal data, from collection, storage, identification, analysis, usage, transferring, etc.
Important Requirements in GDPR
As compared to Directive 95/46/EC, the requirements are enhanced, some of which important ones are listed below:
- Data minimization: Adequate, relevant and limited to what is necessary in relation to the purpose.
- Storage limitation: Kept in a form which permits identification of data subjects for no longer than is necessary.
- Conditions for consent: Organizations must request permission using easy-to-understand terms. Assuming consent or requiring users to opt out is not allowed.
- Right to access: Increased transparency by requiring controllers to provide data subjects with confirmation of data processing.
- Right to be forgotten: Data subjects can request controllers to erase their personal data and stop distributing the data.
- Automated processing: Data subject have right not to be subject to a decision solely on automated processing.
- Data breach notification: Within 72 hours after a data breach, the controller shall notify supervisory authorities and data subjects affected.
- Due diligence: Establish technical and organizational measures to demonstrate compliance to GDPR.
- Subcontractor Control: Data Controllers shall ensure Data Processors have ability to fulfil the requirements of GDPR.
- Certification: Voluntary data protection certification to show compliance to this regulation.
Click here to learn more about the key points in GDPR, and understand how a management system based on ISO 27001 can support the achievement of compliance with GDPR.
Possible Solutions by the Organizations
- Arrange management and front-line employees to attend GDPR related training courses.
- Implement an Information Security Management System (ISMS) based on ISO 27001:2013.
- Implement controls on outsourced processes
- Implement regular internal and external audits on operations.
- Improve the ISMS based on risk levels.
Support by DQS
DQS Academy provides professional training courses and audit/certification service on GDPR and ISO 27001:2013, to help clients to improve their information management system, and reduce the risk of violation to the regulation.
- 實施基於ISO 27001:2013 的資訊安全管理體系 減低違規風險；