16 November 2016
The GDPR challenge and what it means for your business.
SINCE 1995, THE EU DATA PROTECTION LAWS HAVE REMAINED UNCHANGED UNTIL NOW.
This summer saw the passing of the first major EU data protection law which now affects any business who trades with or holds information on European businesses or individuals.
The biggest outcome from this change in law is that organisations must implement and maintain appropriate security measures and solutions to protect personal data and will be fined of up to £16 million or 4% of your global turnover, if you fail to take adequate technical and organisational measures to protect data.
So what is GDPR?
GDPR stands for the General Data Protection Regulation which is a regulation by the European Commission set to replace the current Data Protection Directive. It intends to strengthen and unify data protection for individuals as well as give them back control of their personal data.
With so many of us handling data, it is critical that businesses and organisations have consistency around data protection laws and rights. Access to local and global data has become quicker and easier with the ever growing and changing digital landscape since the Data Protection Law first came into force in 1995, this will now be reflected in the GDPR.
A key point to mention is that if you are currently subject to the Data Protection Act then it is likely that you will also be subject to the General Data Protection Regulation (GDPR).
Why does it affect your business?
There are some important points that will be made in the new regulation which will affect any business in the UK who collects and processes data.
According to the regulation, data can mean anything from an email address, standard name, address and phone number, financial or medical information, social media posts, photos and even a computer's IP address.
Accountability and Governance
According to the Information Commissioner's Office, the new accountability principle requires you to demonstrate that you comply with what is outlined in the regulation and states explicitly that it is the responsibility of the Directors.
Demonstrating that you comply includes processes like:
- Implementing appropriate technical and organisational measures
- Maintaining relevant documentation
- Implementing measures such as Data minimisation, monitoring and transparency
- Using data impact assessments
- Appointing a Data Protection Officer (Where appropriate)
Data Breach Notification
A data breach is a gap in your security which leads to misuse of data. This can include unauthorised access to or disclosure of data as well as loss or destruction of data. Unauthorised can mean both external and internal. A simple example would be an employee having access to another employee's financial data because their permission controls weren't set up correctly.
This section of the GDPR will be important to most businesses when it is introduced. It places a duty on all organisations to report data breaches to the relevant supervisory authority within a certain time period and sometimes to the individual affected. The time period to notify is up to 72 hours which is acceptable if you detect a breach as soon as it happens. But many businesses don't have the necessary technology in place to detect a breach and so could go weeks, months or even years before knowing one has even occurred.
Because of these tight timescales, it is important that businesses take action to ensure they have robust detection, investigation and reporting procedures in place supported by the right technology.
With this new law, there are fears that cyber criminals could breach data and then once the 72 hour time period is up, blackmail the business into paying high sums of money to keep the breach quiet.
Data Portability or Transfer of Data
This section of the regulation places restrictions on the transfer of personal data outside of countries and international organisations, with less control and levels of protection than those covered by the General Data Protection Regulation.
If you want to transfer data to a country or third party organisation, there must be adequate safeguards in place via legally binding agreements, corporate rules, standard data protection clauses or approved codes of conduct.
How can you prepare yourself?
There are different actions you can take to help prepare your business for the new regulation. We are offering all businesses a Free GDPR readiness assessment which will provide recommendations to make sure you are compliant.
We also host regular events around GDPR with our sister company, Metaphor IT. Check out their latest events here.
If you would like to find out more about the GDPR readiness assessment, call us on 01293 297 100