I know you’re probably tired of hearing about GDPR.

GDPR isn't just standard data protection waffle. It's a whole new way of approaching personal data. And it's obvious when an organisation hasn't even bothered to attempt to comply. It has to be stressed that the main threats to your business with regards to GDPR isn't directly from the ICO but rather employees and clients who will want assurance that you can properly demonstrate that you know what you're actually doing.

No doubt with the latest privacy scares in mind, but also to comply with the upcoming EU GDPR, Apple are implementing a large-scale overhaul of their privacy controls on all Apple devices from iOS 11.3 onwards (with over 1 billion iPhones sold and counting, that’s a LOT of devices).

Just for a start the Cupertino giant is:

1) Introducing new privacy icons that shows up when Apple first asks to use your data.

2) Introducing four new tools that let you:
a - Get a copy of your data
b - Request a correction to your data
c - Deactivate your account
d - Delete your account

The so-called right to be forgotten (RTBF) is probably one of the most actively debated aspects of the original proposal by the EU Commission for the General Data Protection Regulation.

Article 17(1) of the GDPR establishes that data subjects obtain the right to have their personal data erased if:

• the data is no longer needed for its original purpose and no new lawful purpose exists;
• the lawful basis for the processing is the data subject’s consent, the data subject withdraws that consent, and no other lawful ground exists; 
• the data subject exercises the right to object, and the controller has no overriding grounds for continuing the processing; 
• the data has been processed unlawfully; or erasure is necessary for compliance with EU law or the national law of the relevant member state

Intrusion Detection System
Much of having a strong information security plan is depending on having the tools to detect breaches in the first place. Without the technical tools in place to realise you’re under attack, your business continuity planning and risk prevention might as well be pointless. Just to give you an example of the headaches this will cause in the future if not addressed: under the GDPR you’re obligated to put into place a comprehensive personal data breach notification system (to both the Information Commissioners Office and affected victims of personal data theft). However, this requirement can only be fulfilled if you have the means to detect that a breach has happened if the first place. The fines we’ve seen so far indicate that not being aware of breaches is actually a far bigger compliance hazard then the steps you need to take afterwards.

The upcoming EU GDPR introduces a relatively new method of ensuring adequate protection for personal data when it is transferred to countries outside the European Economic Area between different sections of the same corporate group.

These are known as “Binding Corporate Rules” and are seen as the new gold standard of intra-company data protection standards.

These were developed because using constant repeated contractual arrangements is not a cost-effective or practical way of legitimising international transfers for data-reliant organisations operating across the globe.