Cyber rights from the new GDPR
Once, I read that big companies like Google, Facebook or Amazon were hiring more lawyers than IT engineers because they store lots of personal information and they have to know how they can move this personal information from one country to another without facing fines. Lawyers have to know all personal data protection laws of all countries and, therefore, international laws to avoid fines against these big companies and, also, to know where is the best place to build new CPDs for moving personal data.
Today, most Spanish people know about LOPD which is a Spanish law mandatory for all companies who handle, manipulate and store personal information. However, the new regulation of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data is going to change the paradigm of personal data protection when it's applied next May 2018. Since then, all companies and public authorities of the European Union should follow the same rules, which are more strict and decisive than our LOPD but better and useful for all citizens.
An important change is the new role of the Data Protection Officer or DPO who will inform and advise the controller about his obligations, will monitor the compliance, will provide advice as regards the data protection impact and monitor its performance, will cooperate with the supervisory authority, and will act as the contact point for the supervisory authority on issues relating to processing. Therefore, DPO should be someone with specialized knowledge in law, data protection and security information. This new role will be mandatory for all public authorities and for companies with a large scale of personal data processing.
Another thing to mention is the incident management and incident response where the controller has to notify to the supervisory authority when has been a personal data breach. This notification should be done within 72 hours after having become aware of the data breach, and if the data breach could affect adversely to the privacy of someone, the incident management process also must notify to affected people. Therefore, this is a good way for citizens to know if our personal information has been compromised, which is useful to take measures and, why not?, stop trusting some companies. This is a challenge as well for companies if they don't want to be punished and they want to keep their reputation.
The new role of the DPO and the incident management process are only some things of the new regulation because we'll also have to take account Privacy Impact Assessments (PIA) to know the risk and impact of personal data breaches as if it was a Business Impact Analysis but for personal information. As a result, a Risk Management Process will be useful for companies and public authorities. By last, the International Association of Privacy Professionals has released a Privacy Impact Assessment (APIA) System to help us to make PIA.
Regards my friends and remember, there are standards like ISO 27000 and ISO 31000 which help us to comply this new regulation.