This is taken from Dark Data: The Hidden Risk to GDPR Non-Compliance, a free industry guide authored by Tim Hyman. In it he examines the requirements of GDPR and explains how dark data could be impacting your compliance efforts. Learn best-practice solutions for new compliance workflows designed to protect your organization.
The General Data Protection Regulations (GDPR) are the most significant development in data protection that Europe, and possibly the world, has seen over the past 20 years. Unsurprisingly, GDPR is designed to consider the utilization of modern technologies – both the way we work with them today and are likely to work with them in the future.
In addition, there is a much greater emphasis on compliance following a widely-held belief that businesses, particularly in the UK, had not previously taken data privacy seriously enough. To reinforce this, penalties are considerably harsher, and the compliance requirements are intended to spread a far wider net to include small and medium businesses and the third-party contractors they use.
There are eight key principles detailed in the GDPR:
- Personal data shall be processed fairly and lawfully
- Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes
- Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed
- Personal data shall be accurate and, where necessary, kept up to date
- Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes
- Personal data shall be processed in accordance with the rights of data subjects under this Act
- Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data
- Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data
These principles can be summarized as protecting the fundamental right to privacy; data to be accurate and only kept for good business reason; data kept only as long as necessary and protection from transfer to unapproved jurisdictions. In addition, the themes of 'privacy by design' and 'accountability' feature consistently throughout the text.
Tim is an independent consultant specializing in information security and GDPR technology compliance. This follows 20+ years as an IT Director of top 20 law firms including Reed Smith, Olswang and Taylor Wessing, with a broad-based management responsibility for strategy, systems design, implementation and support.