Getting ready for new EU data protection legislation in 2018

Posted on: October 11, 2017 by Deborah Dillon

With Big Data, artificial intelligence (AI) and machine learning becoming widespread, there are major implications for privacy and data protection – especially in the case of personal data.

The General Data Privacy Regulation (GDPR) comes into force across all EU member states on the 25 May 2018, requiring organizations’ compliance from day one. This is an overhaul of the current Data Protection Act to cover biometrics and genetic data, bringing the regulatory environment up to date in relation to Big Data.

Transparency and accountability

The new Regulation is designed to promote and facilitate data-sharing by putting in place appropriate principles and safeguards that protect individuals’ privacy and ensure that cyber security is maintained. Transparency and accountability are key, with extra levels of transparency for individuals around how their data is used and processed, and more rights for people who have questions about their own data.

New best practice will be to combine encryption with the anonymization of Big Data to safeguard personal details and protect against their misuse. A new code from the UK Information Commissioner’s Office describes the steps that organizations can take to ensure that anonymization is conducted effectively while still retaining useful data.

Roadmap for compliance

Based on the Information Commissioner’s Office best practice, organizations will need to consider the following critical questions as they prepare for GDPR:

  • Do you know what personal information you hold, and on which system it resides?
  • How will the ‘right to be forgotten’ impact your organization?
  • Will data portability have an impact?
  • Do you have a Data Protection Officer that reports at board level?
  • Do you have complaints from the Information Commissioner’s Office and undertake root cause analysis on each case?
  • Are all your Data Privacy policies updated on a regular basis and how do you check that they are effective?
  • Do you delete personal information in line with a retention schedule?
  • Are your models for obtaining consent in line with GDPR requirements?
  • How would a GDPR fine of up to €20million affect your organization?

Specialists can undertake a detailed Data Protection Act gap analysis for organizations against their current provisions, with improvements and areas of good practice highlighted. These then map to GDPR provisions to identify high-risk areas that need extra focus in the run-up to implementation and to develop a practical, prioritized roadmap for this important area of compliance.

With these preparations in place, organizations can confidently state that they have mitigated the risks associated with the new Regulation, and can ensure data protection is built into data and analytics projects from the start. If followed correctly, the Regulation won’t hinder the use of data; it will enable its wider use by helping organizations to address any risk and ensure the transparency and security of data that is needed in the digital age.

Digital Vision for Supercomputing & Big Data

This article is part of the Atos Digital Vision for Supercomputing & Big Data opinion paper. The challenge for any organisation is how to turn data into tangible advantage. Becoming truly data-driven is perhaps our most definitive step into the digital age. In our Digital Vision for Supercomputing & Big Data, we explore the implications for organisations and what lies ahead.

Share this blog article

About Deborah Dillon
Data Privacy Lead
Deborah Dillon is Lead Auditor, Business & Platform Solution for Atos UK&I. She specialises in Information Governance, including the application and implementation of Data Protection processes and procedures across a wide range of organisational areas. She is a BSI accredited ISO 27001/2 Lead Auditor.

Follow or contact Deborah