The EU General Data Protection Regulation comes into force on 25 May 2018. Businesses need to make special preparations ahead of that date. IT security plays a key role.
The figures are disturbing: more than a third of all businesses are not yet sufficiently prepared for the EU General Data Protection Regulation (EU-GDPR), according to the latest surveys. Most fear they will not be ready by the time the Regulation comes into effect. Some still do not even know what the EU GDPR will mean for them.
The costs involved could be considerable, depending on the company. Not only does the EU GDPR involve the need to appoint a data protection officer, it also requires a description of all processes involving personal data, for example. While a number of exemptions are provided for companies with fewer than 250 employees, these depend for the most part on the sector, area of activity or the data being processed.
The data protection reform also places major demands on IT security: according to Article 5 of the Regulation, “appropriate security of the personal data” must be ensured. What counts as appropriate depends essentially on the state of the art, which raises new questions. The question of what can be considered as the “state of the art” is currently under discussion. Help for companies with the initial orientation and categorisation of their own systems is provided by a “Recommendation on the state of the art” by TeleTrusT (IT Security Association Germany), which provides an overview (in German) broken down by different IT technologies. The Bundesamt für Sicherheit in der Informationstechnik (Federal Office for Information Security, BSI) is also making material available to help with risk categorisation. IT baseline protection (IT-Grundschutz) from the BSI is also dedicated to the subject of data protection, with its updated CON.2 module.
Preparations for the new rules are also in progress with the data protection authorities of the various German states: they have engaged additional staff to deal appropriately with future checking processes. They are also making special information material available. For example, the data protection officer in Bavaria has developed a questionnaire to guide businesses through the data protection maze.
Anyone concerned that they will not achieve data protection conformity by the due date should consider bringing in external advisers. Setting the right priorities also makes a difference: professionals recommend focusing first on the publicly accessible handling processes that involve personal data, since this is potentially visible to third parties.
The establishment of the EU GDPR will also have some very positive effects for the economy: companies operating internationally will benefit greatly from the General Data Protection Regulation, since the same data protection law will apply in all EU member states. There will be no need for costly, labour-intensive adaptations to other legal systems. And companies that are particularly well prepared can draw on the appropriate information to actively adver tise their trustworthiness.
You will also find news about all aspects of it-sa and the IT security environment in the it-sa Security Newsletter.