The EU’s new data protection regulation, known as the GDPR (General Data Protection Regulation), can impact your organisation significantly in the way it is handling personal data. Your organisation will not only be responsible for ensuring compliance with the regulation in terms of handling and protecting personal data, it could even be penalised for non-compliance and it will be liable for any damage resulting from data breaches. The General Data Protection wants to harmonise the data protection regulations throughout the EU and to strengthen and unify data protection. It addresses personal data security for EU citizens and individuals within the EU, but regulates also export of personal data outside the EU. The Commission’s primary objectives of the GDPR are to give citizens back the control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
The regulation was adopted on the 27th of April 2016. It enters into application on the 25th of May 2018 after a two year transition period and will replace the current data protection directive 95/46/EC from 1995. Unlike a directive, it does not require any enabling legislation to be passed by governments.
Legal & Regulatory roles and obligations
Awareness (value, costs, risks, compliance, architecture)
Maturity and vision
Impact on business model
The GDPR will supersede all current national data protection laws in the EU. Here is an overview of the main expected changes that organisations will have to be aware of and adapt to:
Expanded territorial reach
The GDPR applies to organisations and their subcontractors outside the EU. This means in practice that a company outside the EU, that is targeting consumers in the EU, will be subject to the GDPR.
Accountability and Privacy by Design
The GDPR makes organisations fully accountable for demonstrating compliance. This includes requiring them to document compliance, conduct data protection impact assessments for risky data processing and implement data protection by design and by default in their operational processes.
A data subject’s consent to processing his or her personal data must be given freely, and for sensitive data explicitly, either by a statement or a clear affirmative action stating agreement to the processing. Consent can be withdrawn at any moment. The organisation is required to be able to demonstrate that consent was given.
Data Breach Notification
Organisations must notify data breaches to the Data Privacy Authority. This must be done without delay and, where feasible, within 72 hours of awareness. A substantiated justification must be provided if this timeframe is not met. The organisation must notify the affected data subjects without delay when their data has been compromised.
Role of subcontractors
One of the key changes in the GDPR is that subcontractors have direct obligations. This includes implementing technical and organisational measures and notifying your organisation without delay of data breaches.
The GDPR establishes penalties for breach imposing fines for infringements of up to 4% of annual worldwide turnover on data breach and up to 2% of annual worldwide turnover on non-compliance.
Data Protection Officer (DPO)
In specific circumstances organisations or subcontractors must designate a Data Protection Officer. The DPO will need sufficient expert knowledge. The DPO may be employed or under a service contract.
Right to be forgotten
Individuals can require their personal data to be erased without undue delay by the organisation. A good example is where they withdraw consent and no other legal ground for processing applies.
9 Steps to get started with GDPR
How NRB can help you
Advisory services: NRB can assist in Roadmap and data protection strategic development through consulting or through staff provisioning at different levels. Our team of experienced consultants provides services from technical data automation to C-level advisory to ensure continuity and single accountability.
DPO resources: many organisations do not have the required resources or competences to staff a Data Protection Officer. NRB provides individuals with the required competences and certifications to assist organizations in their GDPR compliance track in a DPO, CISO (Chief Information Security Officer) or other role, in project mode or in operational mode. The consultant can ensure all DPO responsibilities and can assist the organisation on a broader security context in a dedicated, shared, full- or part time mode. If required, NRB can accompany the DPO with legal assistance through a recognised law firm to ensure legal advice.
Awareness campaigns: are key to success towards GDPR compliance. NRB does not only provide awareness sessions concerning the GDPR requirements, but extends awareness programs with practical sessions looking into the impact on business processes and daily operations. In addition, awareness programs are focused towards acceptance of change with the objective to not only raise awareness about data privacy but also towards the necessity of the GDPR compliance program.
Program and project management: will be key throughout your entire data protection lifecycle. Whether you need a program manager to drive the compliance track on a high-level or you need a technical project lead to implement an automated solution, NRB provides resources with broad security competences, organisational and communication skills who are used to drive strategic change programs.
Risk assessment services: NRB is experienced in risk assessment services which can be performed either with a broad scope towards enterprise IT security risk either with a limited scope specifically towards data protection or GDPR compliance. A risk prioritisation and impact analysis provides your company with an excellent tool to decide on your future investments, strategy and roadmap
GDPR compliance assessment: is a focused way and a short track towards identification of compliance gaps and can be a tool where budget is limited and resources are scarce. NRB executes a Quick GDPR compliance assessment to identify the areas where an organisation is not compliant. A high-level prioritisation can be defined in order to develop a compliance roadmap.
Automated data classification and protection: a critical step towards GDPR compliance is the identification and classification of data. NRB provides leadership and expertise in data classification through a combination of manual and automated methods to ensure a full coverage. Data Classification is a highly interactive exercise in collaboration with the client stakeholders, which are significantly involved in the decision making process. NRB partners with different organisations such as Varonis, Microsoft and others, to automate data classification and data protection. Through automated classification and data protection NRB ensures reduced project- and implementation costs. By enforcing and delegating policies, operational data management costs can also be significantly reduced.
Staff provisionning: NRB can provision security staff at different levels
Our Key Differentiators
Our Key Differentiators
• NRB can rely on a rich pool of resources, covering a very broad range of security services from very technical competences to C-level advisors. Having a competent team of experts at its disposition is a major advantage that not many organisations can provide. NRB prefers to service you with the most ‘fit for purpose’ experts within a diverse project team to maximise the right expertise at the right level at the right time.
• Our client base extends throughout all sectors on a national scale. We have worked with a broad spectrum of organisational cultures and maturity levels. This experience gives us an empathic touch which is crucial to succeed in implementing strategic change within an organisation. Our approach is well-structured and methodological, but flexible and adapted to your organisational needs, to your organisation’s capacity to change and to the objectives set by your management.
• Since the acquisition of Trasys, late 2015, NRB has become the largest national IT service provider. Our relations with vendors and partners extend beyond national boundaries and provide an unmatched pool of expertise, product support and competences. NRB is de facto a services company and is product and vendor independent. With our service-approach backed-up by our partnerships we are able to provide you with an independent advice on automation solutions and we offer a vast range of product implementation services with our own people or through our partners.
Are you interested to participate to a round table with our consultants on the GDPR ?