The General Data Protection Regulation or GDPR has started to become a talking point for many organisations as they begin to consider the changes they need to make to be compliant with the new legislation. If you aren’t aware of GDPR, it is coming into play on 25th May 2018 to replace the Data Protective Directive and align laws with the new digital age.
We are now half way through the transitional period for the adoption of the regulation and still there are many organisations left confused and baffled by the actions that they need to take to work towards compliance. Since the announcement of GDPR, there has been a torrent of information with differing reports, warnings, research and advice. Everyone seems to be talking about it, from legal experts and the government to IT companies and the media.
We don’t pretend to be experts with GDPR. At the end of the day, as an IT company we know what security you need to protect your business because that’s what we are good at. We’re not legal experts, yet we can tell you what we know and what we have been told within our industry to help you on your journey with GDPR. We’ve put together a short guide to GDPR to make sure you have the basics of what you need to know. It is important to note that the legislation involves over 200 pages of documentation so this short blog will be key points and not exhaustive.
Non-compliance and penalties
The first thing that we need to talk about is the financial impact that GDPR can have on your organisation. The maximum penalty for non-compliance with the regulation is €20 million or 4% of your annual global turnover, whichever is higher. These fines mean that data protection is now being treated as seriously as companies involved in corruption or bribery as the costs are similar. The penalties are also substantially more severe compared to the previous maximum of £500,000 for non-compliance with data protection.
The EU and Brexit
One of the first things we hear when we talk about GDPR is that it will not apply to the UK because of Brexit. The UK was heavily involved in the development of GDPR so even though it is EU legislation the UK Government has stated that it will be implementing it despite Brexit. The central purpose of the legislation is to protect EU citizens and their data. Any business or organisation that holds data of a UK or EU citizen must ensure that they follow GDPR even if they themselves are not part of the EU, such as the United States or Asia.
It is also important to consider how GDPR widens the definition of personal data and includes information such as online identifiers, e.g. IP addresses. In broad terms, GDPR will apply to any information that can be used to identify an individual. Personal information can include categories such as name, date of birth and location but also things like genetic, mental, economic or social information.
The Right to be Forgotten
Under the General Data Protection Regulation, organisations are required not to hold on to data for longer than is necessary and cannot change the use of the data from which it was originally collected. Most importantly, organisations must be able to delete any data as requested by the data subject. As a result, businesses must ensure that they have the appropriate processes and technology in place to deal with these kinds of requests.
Security: Privacy by design and privacy by default
Under GDPR, organisations are required to include privacy in systems and processes by design. According to the EU, privacy by design means that any service or process that uses personal data must take the protection of such data into account. Every organisation that processes personal data must be able to show that they have adequate security in place and that compliance is monitored. In practice this means that an IT department or IT company must take privacy into account during the whole life cycle of the system or process development. GDPR also states that privacy must be incorporated by default. Privacy by default means that strict privacy settings automatically apply once a customer acquires a new product or service with no manual change to the privacy settings required on the part of the user. Personal information must by default only be kept for the amount of time necessary to provide the product or service.
Data Breach Notification
The aim of GDPR is to harmonise the various data breach notification laws in Europe and to ensure that organisations are constantly monitoring for breaches in personal data. Businesses must ensure that they have the appropriate technologies in place to detect and respond to a data breach.
The legislation requires all organisations that suffer from a data breach to report it to the relevant supervisory authority, e.g. Information Commissioner’s Office, and in some cases the individuals that have been affected. A data breach is where a breach of security has led to the destruction, loss, alteration, unauthorised disclosure of, or access to personal data. Breaches and their penalties will be assessed on a case-by-case basis but must be reported to the relevant authority within 72 hours of discovery. If you do not report the breach you are liable for further of fines of up to 2% of your annual global turnover or €10 million. Either fine could be crippling to your business, especially SMEs.
Conclusion: Are you ready for GDPR?
Although companies have been given approximately 2 years to prepare for GDPR it appears that many are struggling to meet the requirements or understand what is needed. Companies need to understand that GDPR isn’t a set of guidelines for best practice, it’s a set of new laws.
We would love to hear your thoughts and ideas on GDPR. If you would like to know more, say hello today and call 01675 469020 or email firstname.lastname@example.org