:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/ZLPTURWTU6ZKBVVAPOYJXQL7OU.jpg)
:fill(white):background_color(white)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/IXV55INVXTLFKAFOOHZMKW5MXI.jpg)
Two significant pieces of European legislation will be implemented in Ireland in 2018. Firstly, the EU General Data Protection (GDPR) and secondly the Network and Information Security Directive (NISD).
For some organisations, there will be an overlap of directives and therefore they need to be aware of the implications of both.
The GDPR will be enforceable from May 25th, 2018. It replaces Directive 95/46/EC with the aim of harmonising EU data-protection law. The GDPR impacts many areas of an organisation, not just legal and compliance. It also engages functions tasked with information technology and security, data governance and information management, as well as sales, marketing and digital.
The GDPR introduces new requirements and challenges for legal and compliance functions. Many organisations will require a data protection officer who will have a key role in ensuring compliance. If the GDPR is not complied with, organisations will face the heaviest fines yet – up to 4 per cent of global turnover. A renewed emphasis on organisational accountability will require proactive and robust privacy governance.
New GDPR requirements will mean changes to the ways in which technologies are designed and managed. Documented privacy risk assessments will be required to deploy major new systems and technologies. Security breaches will have to be notified to regulators within 72 hours and the concept of ‘Privacy by Design’ has now become enshrined in law, with Privacy Impact Assessments expected to become commonplace across organisations. In addition, organisations will be expected to focus more on data-masking, pseudo-anonymisation and encryption.
Individuals and teams tasked with information management will be challenged to provide clearer oversight on data storage, journeys and lineage. Having a better grasp of what data is collected and where it is stored will make it easier to comply with new data subject rights – the right to have data deleted, rectified, and to have it ported to other organisations (portability).
Strengthen consumers’ rights
The GDPR aims to strengthen consumers’ rights, and organisations that are transparent and open are more likely to reap the rewards. A combination of both tactical and strategic actions will be required to address GDPR compliance.
Stakeholder awareness: make sure stakeholders are fully aware of the GDPR and the impact it will have on the organisation. Ensure buy-in is achieved from the board and senior management.
Readiness assessment: conduct a readiness assessment to understand how near or far away your organisation is from the new requirements of the GDPR and the effort required to remediate.
Data inventory and mapping: compile an inventory of the personal data that is collected, who it is shared with and what controls govern its use.
Governance: use the GDPR to assess your holistic approach to privacy – do you have a data protection officer? Who is ultimately accountable? How are you going to bring together different areas of the business to manage privacy risks on an ongoing basis?
Legal compliance: review approaches to capturing consent. Re-draft privacy notices and determine how compliance will be demonstrated.
Technology: deploy technology and processes to bring about a privacy by design culture, and create a robust breach-management procedures.
Data: ensure the organisation has the right data-governance practices to respond efficiently to the new rights afforded to individuals.
NISD (2016/1148) concerns the loss of service for organisations in scope. It comes into force in May 2018 also.
The NISD categorises organisations into:
Operators of essential services (OES), of which there are seven categories, including the energy sector, transport, banking, provision of drinking water and health.
Providers of online marketplaces, online search engines and cloud computing services will be defined as Digital Service Providers (DSP).
The directive obliges network and information security for OES to provide for network security and business continuity in critical sectors and DSP to provide similar security in online environments.
NISD will oblige OES to adopt a high level of risk-management practices and notify national authorities of serious incidents. DSPs will also be obliged to notify authorities about incidents. Such incidents could include network breaches that lead to a leakage of data.
It should also be noted that NISD imposes no penalties except for failure to report a breach.