GDPR – what you need to know

13/07/2017

What is GDPR?

The General Data Protection Regulation (GDPR) supersedes the Data Protection Act 1998. GDPR creates new requirements for organisations that process EU residents’ personal data and allows authorities to enforce fines of up to 4% of annual global turnover.

Who is affected?

GDPR applies to everyone involved in processing data about individuals in the context of selling goods and services to citizens in the EU; this will affect UK organisations.

The big picture

The General Data Protection Regulation (GDPR) tackles the inconsistent data protection laws currently existing throughout the EU’s member states and facilitates the secure, free-flow of data.

The outgoing 1998 Data Protection Act has become outdated as technology has evolved, making much of the legislation obsolete in protecting people.

GDPR aims to create a level playing field across Europe so that everyone has the same rights with regards to their personal data.

The good

Implementing the GDPR guidelines effectively will strengthen customer trust and confidence as the reputational damage of suffering a data security breach is extremally costly. In the long term, GDPR is a necessary step to safeguard the publics security rights in this digitised world.

The bad

For businesses, GDPR poses more restrictions on what they can do with data to gain commercial benefit. Also, the necessary structural changes can cost millions of pounds on compliance spending.

Why is this happening?

As the economy becomes increasingly more digitized, companies are holding enormous amounts of highly sensitive personal data; this data is gold-dust to cyber criminals. The fact that EU countries currently have different, and somethings conflicting, laws is creating opportunity for cyber criminals.

Cybersecurity is a hot topic in a world that is increasingly rife with cyber-attacks. It doesn’t just affect big businesses (and their customers). Whist people may be talking about the NHS, Talk Talk, and Carphone Warehouse, smaller businesses are increasingly being targeted.

“74% of UK SMEs had a security breach in 2016.”

Data privacy has become a priority for both businesses and individuals, with public awareness surrounding data security and privacy generating question marks over how data – which is being produced at an exponential rate – is actually collected, processed and stored.

Rapid technological advances have commoditised personal data, with GDPR set to change that with a standardised approach to data protection.

GDPR Breakdown

Consent

The use of the data must be made clear at the point of obtaining it. In obtaining consent for data use, companies cannot use misleading terms and conditions. Also, a company can no longer bribe people for their data. For example, tactics such as: ‘provide us your e-mail address to download this e-book’ will not be allowed. Furthermore, it must be as easy to withdraw consent for personal data use and it is to give it.

Breach notification

In the event of a data breach, data processors must notify their controllers and customers of the source, risks and solution within 72 hours. As most breaches happen on Friday afternoon, this will be difficult is the right procedures aren’t in place.

Right to access

The data subjects have the right to obtain confirmation from the data controller of whether their personal data is being processed. Upon being requested, the data controller should provide a free electronic copy explaining how the subject’s data is being used.

Right to be forgotten

When the data is no longer relevant to its original purpose, data subjects can have the data controller erase their data.

Data portability

This is another right for the data subject, it allows the individual to obtain and reuse their personal data for their own purposes.

Privacy by design

This calls for inclusion of data protection from the onset of designing systems, implementing appropriate technical and infrastructural measures.

Data Protection officers

Professionally qualified officers must be appointed in public authorities, or organisations that engage in large scale (>250 employees) systematic monitoring or processing of sensitive personal data.

9 Steps to prepare for GDPR       

Step 1. Create Awareness

Make sure the relevant people in your organisation, like policy makers, understand the rules and implication of GDPR and the necessity for full compliance.

Step 2. Review

Review and document all data processing activities and security processes within your company. This means a full data audit. Be sure to identify the ‘what’, ‘why’, ‘when’ and ‘where’ of the data you hold.

Step 3. Assess the risks

When it’s likely that a new or existing data processing activity involves a high security risk, a ‘Private Impact Assessment’ is required to mitigate this risk.

Step 4. Identify needed measures

Identify what measures need to be taken regarding the current data processes and plan for any changes needed to achieve compliancy.

Step 5. Identify key partners

Identify your joint controllers, processors and sub-processors and work with them to create instructions on how data should be handled.

Step 6. Review contracts and policies

Review existing contracts and privacy policies and amend where needed.

Step 7. Appoint a DPO

If you have over 250 employees, you will need to hire a qualified data protection officer.

Step 8. Consider a one stop shop option

Are you operating or processing data in multiple EU member states? If so, consider your one stop shop options to offer a uniformed level of compliancy.

Step 9. Inform and enforce

Inform and enforce changes to your policy, terms and conditions and contract to third parties.

How can we help?

We can assess your readiness for the new legislation with a GDPR Health Check. This can be carried out as standalone service, or in conjunction with an existing ISO certification.

GDPR Health Check breakdown

What you’ll receive:
  • One of our expert auditors will visit your place of work and conduct a GDPR assessment.
  • Access to our unique GDPR action plan.
  • You’ll receive a detailed report that will highlight gaps that need to be addressed to achieve compliance to GDPR.
Key benefits:
  • Strengthen customer trust by demonstrating you take risks to personal data seriously.
  • Mitigate against costly fines and damage to reputation.