Quickly identify what is happening â respond to and report data breaches within the 72 hour reporting deadline. ⢠Ma
NUIX INFO PAPER
EU GENERAL DATA PROTECTION REGULATION
The European Union finally approved a new General Data Protection Regulation (GDPR) in April 2016 that will, in effect, touch all organisations and entities offering goods or services to individuals residing in the EU. The GDPR has considerable teeth in the form of well-defined and steep monetary sanctions of up to 4% of gross global annual turnover. While there is a lengthy transition phase to the new regulation – likely to come into effect during the first half of 2018 – most organisations will have considerable work to do if they are to comply with the standards in the regulation. Nuix can help you prepare for the GDPR by helping you to: • Understand your data – you can’t manage what you don’t know you have. • Quickly identify what is happening – respond to and report data breaches within the 72 hour reporting deadline. • Manage compliance requests with an industry-leading solution to deliver responsive documents.
NUIX INFO PAPER EU GENERAL DATA PROTECTION REGULATION
PREPARING FOR A NEW DATA PROTECTION FRAMEWORK The General Data Protection Regulation answers the call by Europeans for uniform data protection rights across the European Union, regardless of where their data is processed or stored. Due to the complexity of obligations in the GDPR, organisations are already beginning to take the appropriate measures to comply.
Expanded reach
Removal of notification requirement
The EU GDPR applies to organisations whose data processing activities relate to offering goods or services to, or monitoring the behaviour of, EU data subjects, even if the organisation itself doesn’t reside within the EU. This is currently not the case with existing regulations.
In some situations, data controllers will no longer be required to notify or seek approval from the DPA. Instead, data controllers will need to put into place effective procedures and mechanisms focusing on high risk operations (such as implementing new technologies) and conduct a data protection impact assessment.
Accountability and privacy by design Data controllers will have significant accountability obligations to demonstrate compliance, including documentation; conducting a data protection impact assessment for more ‘risky’ processing; and implementing data protection by design and by default. Privacy by design is a key requirement of the regulation. In certain cases, data controllers and processors must designate a Data Protection Officer as part of their accountability programme.
Consent Data subjects must give explicit and demonstrable consent concerning their personal data, either by statement or a clear affirmative action which signifies agreement. Importantly, they can withdraw consent at any time.
Data breach notification Data controllers are required to notify the Data Protection Authority (DPA) within 72 hours (in most cases) of learning that a breach has occurred. What constitutes a reportable data breach is laid out in the full text of the GDPR.
Role of data processors Under the new regulation, data processors will have direct obligations, including implementing technical and organisational measures to protect private data and performing data breach notifications.
Sanctions The GDPR contains a series of tiered penalties for breaches. It also gives the DPAs power to impose fines for some infringements of the regulation. The sanctions are substantial; however, there are some mitigating actions and preparations organisations can take to reduce sanctions.
International transfers International data transfers under the GDPR are essentially unchanged from previous regulations.
Binding corporate rules Binding corporate rules will be recognised for controllers and processors, allowing for intra-group international data transfers. They must be legally binding, apply to every member of the group and expressly confer enforceable rights on data subjects.
One-stop shop A key element of the GDPR is the concept of a ‘one-stop shop’ where organisations will only need to deal with one Lead DPA where the organisation has its main establishment. Previously, the organisation would need to deal with multiple DPAs in each country where it had a presence.
Data protection board An independent European Data Protection Board will replace the Article 29 Working Party. It will comprise the EDP Supervisor and senior representatives of the national DPAs. It will be responsible for issuing opinions and guidance, ensuring consistent application of the GDPR and reporting to the Commission.
Right to be forgotten Individuals will have the right to require that their personal data is erased without undue delay by the data controller under certain circumstances. Additionally, data controllers will have the obligation to take reasonable steps and inform third parties that the individual has requested that their data be erased.
PAGE 2
NUIX INFO PAPER EU GENERAL DATA PROTECTION REGULATION
HOW NUIX CAN HELP The GDPR is an important and well-intentioned regulation on behalf of all EU citizens. But in order for it to truly drive change in behaviour, it’s going to take a change in attitudes toward proactive information governance for it to become anything more than a box-ticking exercise. Nuix is dedicated to helping organisations answer the challenges posed by their data. Data is at the heart of the EU GDPR, making Nuix uniquely suited to help you ensure compliance with your new obligations.
Understand your data You can’t protect or manage data that you don’t know you have or what it contains. Nuix information governance solutions act as the gatekeeper and first step to protecting and managing any data, enabling active governance through Information Transparency™. Nuix information governance solutions thoroughly index unstructured information to provide deep insights into your organisation’s information assets, enabling you to make informed decisions about your data and properly act on them.
Rapidly identify what happened Nuix security and intelligence solutions help you reduce the gap between the detection and remediation of data breaches. The GDPR’s 72-hour notification window makes it vitally important to learn everything you can about a breach, fast. The more you know and can mitigate in a short period of time, the more likely the sanctions you face will be reduced or, ideally, eliminated.
Deliver evidence with confidence It’s inevitable – you will be asked to produce evidence in response to regulatory inquiries. Our suite of powerful, integrated tools streamlines the entire process, helping you to quickly and accurately collect, process and review data to satisfy any request you may encounter.
Use the tools that regulators use The world’s leading corporate regulators, audit and advisory firms, government departments and law enforcement agencies use Nuix in their investigations. With Nuix, you can achieve the same levels of insight into your data as these organisations and rapidly provide specific and accurate answers to regulatory, audit and legal information requests.
POWERED BY THE NUIX ENGINE Nuix’s patented parallel processing engine can search virtually unlimited volumes of unstructured data with unmatched speed and precision. The Nuix Engine’s forensic processing capabilities have been validated by courts, government agencies and corporations worldwide.
Data is at the heart of the EU GDPR, making Nuix uniquely suited to help you ensure compliance with your new obligations
EU GDPR RESOURCES Full details of the EU GDPR can be found at eugdpr.org. Organisations doing business in any EU member states should take the time to familiarise themselves with the new regulation and their obligations when it goes into effect.
PAGE 3
WHAT ABOUT EU-US PRIVACY SHIELD? The EU GDPR is not intended to replace the EU-US Privacy Shield – an agreement that governs the cross-border transfer of data between the EU and the US. Since both efforts are still in the earliest of days in terms of fine details and clarity on what enforcement will eventually look like, many organisations are left wondering how best to proceed. Regardless of the details, three tenets will not change: know your data, respond quickly and produce responsive information. Being able to deliver in all of these areas forms the foundation of common-sense and practical data protection and privacy practices. With fines of up to 4% of gross global annual turnover at stake, it is extremely risky to hold off on preparations until the regulation comes into force. You can start to prepare now by putting appropriate practices and technology in place that enable smart, fast and accurate decision making. Such investments will position your organisation to mitigate the risk of fines and protect its brand value and market share.
To find out more about how Nuix can help you meet the new data protection regulations, visit nuix.com
ABOUT NUIX Nuix protects, informs and empowers society in the knowledge age. Leading organisations around the world turn to Nuix when they need fast, accurate answers for investigation, cybersecurity incident response, insider threats, litigation, regulation, privacy, risk management and other essential challenges.
» Web: www.symstor.com/nuix
