What is GDPR?
The General Data Protection Regulation (GDPR) supersedes the Data Protection Act 1998. GDPR creates new requirements for organisations that process EU residents’ personal data and allows authorities to enforce fines of up to 4% of annual global turnover.
Who is affected?
GDPR applies to everyone involved in processing data about individuals in the context of selling goods and services to citizens in the EU; this will affect UK organisations.
The big picture
The General Data Protection Regulation (GDPR) tackles the inconsistent data protection laws currently existing throughout the EU’s member states and facilitates the secure, free-flow of data.
The outgoing 1998 Data Protection Act has become outdated as technology has evolved, making much of the legislation obsolete in protecting people.
GDPR aims to create a level playing field across Europe so that everyone has the same rights with regards to their personal data.
Implementing the GDPR guidelines effectively will strengthen customer trust and confidence as the reputational damage of suffering a data security breach is extremally costly. In the long term, GDPR is a necessary step to safeguard the publics security rights in this digitised world.
For businesses, GDPR poses more restrictions on what they can do with data to gain commercial benefit. Also, the necessary structural changes can cost millions of pounds on compliance spending.
Why is this happening?
As the economy becomes increasingly more digitized, companies are holding enormous amounts of highly sensitive personal data; this data is gold-dust to cyber criminals. The fact that EU countries currently have different, and somethings conflicting, laws is creating opportunity for cyber criminals.
Cybersecurity is a hot topic in a world that is increasingly rife with cyber-attacks. It doesn’t just affect big businesses (and their customers). Whist people may be talking about the NHS, Talk Talk, and Carphone Warehouse, smaller businesses are increasingly being targeted.
Data privacy has become a priority for both businesses and individuals, with public awareness surrounding data security and privacy generating question marks over how data – which is being produced at an exponential rate – is actually collected, processed and stored.
Rapid technological advances have commoditised personal data, with GDPR set to change that with a standardised approach to data protection.
The use of the data must be made clear at the point of obtaining it. In obtaining consent for data use, companies cannot use misleading terms and conditions. Also, a company can no longer bribe people for their data. For example, tactics such as: ‘provide us your e-mail address to download this e-book’ will not be allowed. Furthermore, it must be as easy to withdraw consent for personal data use and it is to give it.
In the event of a data breach, data processors must notify their controllers and customers of the source, risks and solution within 72 hours. As most breaches happen on Friday afternoon, this will be difficult is the right procedures aren’t in place.
Right to access
The data subjects have the right to obtain confirmation from the data controller of whether their personal data is being processed. Upon being requested, the data controller should provide a free electronic copy explaining how the subject’s data is being used.
Right to be forgotten
When the data is no longer relevant to its original purpose, data subjects can have the data controller erase their data.
This is another right for the data subject, it allows the individual to obtain and reuse their personal data for their own purposes.
Privacy by design
This calls for inclusion of data protection from the onset of designing systems, implementing appropriate technical and infrastructural measures.
Data Protection officers
Professionally qualified officers must be appointed in public authorities, or organisations that engage in large scale (>250 employees) systematic monitoring or processing of sensitive personal data.
9 Steps to prepare for GDPR
Step 1. Create Awareness
Make sure the relevant people in your organisation, like policy makers, understand the rules and implication of GDPR and the necessity for full compliance.
Step 2. Review
Review and document all data processing activities and security processes within your company. This means a full data audit. Be sure to identify the ‘what’, ‘why’, ‘when’ and ‘where’ of the data you hold.
Step 3. Assess the risks
When it’s likely that a new or existing data processing activity involves a high security risk, a ‘Private Impact Assessment’ is required to mitigate this risk.
Step 4. Identify needed measures
Identify what measures need to be taken regarding the current data processes and plan for any changes needed to achieve compliancy.
Step 5. Identify key partners
Identify your joint controllers, processors and sub-processors and work with them to create instructions on how data should be handled.
Step 6. Review contracts and policies
Review existing contracts and privacy policies and amend where needed.
Step 7. Appoint a DPO
If you have over 250 employees, you will need to hire a qualified data protection officer.
Step 8. Consider a one stop shop option
Are you operating or processing data in multiple EU member states? If so, consider your one stop shop options to offer a uniformed level of compliancy.
Step 9. Inform and enforce
Inform and enforce changes to your policy, terms and conditions and contract to third parties.
How can we help?
We can assess your readiness for the new legislation with a GDPR Health Check. This can be carried out as standalone service, or in conjunction with an existing ISO certification.
GDPR Health Check breakdown
What you’ll receive:
- One of our expert auditors will visit your place of work and conduct a GDPR assessment.
- Access to our unique GDPR action plan.
- You’ll receive a detailed report that will highlight gaps that need to be addressed to achieve compliance to GDPR.
- Strengthen customer trust by demonstrating you take risks to personal data seriously.
- Mitigate against costly fines and damage to reputation.