After much fanfare, the general data protection regulations (GDPR) was approved by the EU parliament on April 14, 2016. The enforcement date for this regulation is May 25, 2018. If companies are not in compliance at that time the potential for heavy fines is inevitable. The EU general data protection regulation replaces the data protection directive 95 /46/EC and was designed primarily to harmonize data privacy laws across Europe and to protect and empower all Eve’s citizens data privacy and reshape the way organizations across the region approach data privacy. The regulation has a profound impact on businesses that operate in the EU. Maximum penalties may be as high as 4% of annual global turnover or €20 million (whichever is higher).
In recent years, we have seen massive data breaches at companies which has exposed private information and other sensitive information without consent. Many of these breaches have been due to cyber-attacks against companies of different sizes. The newspapers are full of such data breaches. The new GDPR regulation requires that breaches be reported to the relevant regulator without undue delay and where feasible, within 72 hours of becoming aware of it unless the breach is unlikely to result in a risk to the right and freedom of individuals. Data subjects must be informed without undue delay with the breaches likely to result in a high risk to the data subjects’ rights and freedoms unless the data has been rendered unintelligible to any third party (for example by encryption). Data processors are required to inform data controllers of any breach without undue delay.
What does all this mean for validated systems?
If you operate in the EU and your validated systems include sensitive data or data which may be of a personal nature, such as patient information, you are subject to the guidelines included within the GDPR regulation. You also need to look at data integrity and security practices around the validated system. We recommend strongly the Cybersecurity Qualification (CyQ ) discussed in a previous post. The CyQ assesses a firm’s readiness to protect itself against the cyber-attack. This could go a long way to meeting the requirements of GDPR since the cyber security qualification requires documentation of your security controls.
I recommend reading GDPR and getting used to it before May 2018. Assess your controls within your validated systems environment to determine how vulnerable your systems really are and your readiness to comply with this regulation. I assure you more will be forthcoming about this topic in the months to come. WATCH THIS SPACE.