The new General Data Protection Regulation (GDPR) comes into force in May 2018 and applies to any organisation holding personal data. Particular care must be applied to situations where ‘sensitive personal data’ is held and the implications on organisations that do so are considerable, especially in the case of a data breach.
A number of principles apply under GDPR including:
- Lawfulness, Fairness & Transparency
- Purpose Limitation
- Data Minimisation
- Storage Limitation
- Integrity & Confidentiality
All of the above place a much greater emphasis on the responsibilities of an organisation to maintain GDPR compliance. For example, from a ‘Lawfulness, Fairness & Transparency’ perspective consent must be explicit and kept separate from other terms and conditions. In principle this will require that any systems (databases) holding personal data should also have the ability to hold information about the status of consent, and offer the ability to report on and update this as required in order that an organisation can prove that it is actively complying with the new regulation.
Integrity and Confidentiality – ‘data protection by design’
Data protection by design is an integral aspect of GDPR and requires that organisations build in data protection from the ground up. Any organisations that employ, or are considering employing cloud based databases might want to consider the security implications of these against an ‘on premise’ solution which may be able to offer them a greater protection.
The impacts of GDPR on an organisation will vary according to the nature and granularity of data that is being collected and held, but for organisations that are impacted then good database design, data integrity and the ability to report on it will be of paramount importance.