The General Data Protection Regulation (GDPR) is an agreement reached by the European Commission, Council and Parliament that provides data security for personal and corporate information throughout the European Union. Though the regulation does not take effect until May 2018, it is a good idea for all enterprises to prepare for the imminent change so as to not derail any projects and maximize efficiency throughout the transition process. This article will cover what project managers need to know concerning the UK regulation of the GDPR.
Data Protection Officers
Per the GDPR, the hiring of a data protection officer (DPO) is mandated for all firms employing over 250 people or processing the information of more than 5,000 people in a 12-month timeframe. Unlike a compliance officer, a DPO is required to protect all processed data and can be employed full-time or contracted, depending on budgetary constraints. Each DPO must have exemplary knowledge in order to comply with hiring mandates.
After the implementation of the GDPR, the penalty for failing to comply will be significantly raised. For serous non-compliance, such as breaches of data protection standards or breaches of international transfer restrictions, companies can be fined up to €20 million or 4% total worldwide turnover, depending on whichever amount is larger. Conversely, less serious offenses, like failing to adequately maintain a data processing register, will incur a fine that will not exceed €10 million or 2% of the total worldwide turnover, depending on whichever amount is larger.
One way to ensure accurate and easily manageable data protection is by implementing Clarizen’s online security protection, which ensures both compliancy and protection against any potential breach. With server farms located in both the US and Europe, Planview AdaptiveWork’s online security protection provides a reliable means of achieving and maintaining proficient data protection.
The GDPR decrees that all data processors and controllers must demonstrate their compliance with decreed data protection guidelines, including the implementation and proper upkeep of data processing registers. This requirement was intended to assuage enterprises to implement inclusive data protection standards to minimize any and all risks pertaining to data security breaches.
Some potential standards include the optimization of privacy impact assessments, especially for accounts involving high-risk processing, and incorporating data protection into their DNA rather than implementing it later. While accountability has always been present in data protection law, the GDPR emphasizes and amplifies its importance. This means that current enterprises should ensure compliant record-keeping practices and policy requirements.
In the event of a breach, companies are required to notify the proper authorities when any significant data loss occurs. If possible, companies should report within 24 hours; however, they may be penalized if they wait longer than 72 hours to file a report. Additionally, companies must maintain records of each breach where authorities are not notified. Concurrently, if a breach affects or poses a threat to any individual’s rights or liberty, that individual must be notified.