The new EU General Data Protection Regulation (GDPR) standardises the protection of personal data across the EU, and will come into force on 25 May 2018. National legislation within Germany, Austria and Switzerland, as well as in other countries, is currently being aligned with this regulation. As a result, seamless data security and transparency will be adhered to (even more) closely for the use of personal data in the future. The GDPR will affect organisations, and IT in particular, in various ways:
Liability for data breaches
The loss of protectable personal data goes hand-in-hand with hefty fines - whether for a direct client partner or contractor.
Lex loci solutionis
Where the service is rendered - i.e. your headquarters - is irrelevant. The EU headquarters of the affected individuals is decisive.
Impact assessment for data protection (losses)
It is obligatory to keep a qualified inventory of data and processes, as well as impact assessments, in the event of the loss of personal data.
Rights of individuals affected
Affected individuals gain sweeping rights to determine how their personal data is used: right to information, access, correction, appeal, transferability and deletion. Specific, and, if necessary, temporary, permissions are required for data processing.
The role of IAM
Identity & access management assists with compliance with the GDPR wherever:
- A risk inventory is created and protection levels play a role.
- The access to and processing of protectable data must be controlled and verified.
- Processing operations must be protected and transparent.
- Contractors must handle data entrusted to them in a manner compliant with the GDPR and be able to prove this, too.
The rights of the customer are to be preserved efficiently and securely during the interaction.