The EU General Data Protection Regulation (GDPR) entered into force in May 2016. However, the new data protection regime will be in place in May 2018 giving organisations the time to absorb the new framework. This is certainly valid for 27 EU member states. We should wait the evolution of the negotiations between the UK and the EU in order to understand if GDPR will be also valid in the United Kingdom.
The EU GDPR includes some important changes in relation to the previous EU data protection framework. Those changes will impact organisations substantially, therefore, the attention on GDPR should very firm. The assessment of the impact of the GDPR should revolve around three key points of analysis:
1) Identifying the new obligations relevant to the organisation;
2) Identifying gaps between the current state of compliance and the standard required by GDPR;
3) Assessing the changes, also organisational changes, required to meet GDPR requirements, the time for doing those and the associated cost.
GDPR impacts emerging technologies and the IoT vision greatly. Some key points of reflection are:
1) Putting systems and policies in place for reacting quickly to any data breach.
2) Embracing privacy by design as a cross-organisation modus operandi and culture.
3) Designing clear and easy-to-absorb privacy policies in the engagement with customers and all along the value chain.
4) Having firm in mind the rights of the data subjects (for example, personal data retention, the right of being forgotten).
5) Establishing a framework for accountability in the organisation.
6) And, finally, being aware that the GDPR defines heavy penalties for infringements and incorrect application of the regulation (up to 4% of annual worldwide turnover).