What Is GDPR?

 

DISCLAIMER:

IT Security does not make your company GDPR Compliant!

 

GDPR stands for General Data Protection Regulations, it’s essentially an EU regulation designed to expand the rights of the individual in relation to their data, and increase the accountability of those who control and process data.

The regulation reaches outside of the EU to any organisation that handles EU citizen data, regardless of their location in the world. We are currently partway through a transition period that allowed businesses to get their house in order before the regulation comes into effect on the 25 of May 2018.

The regulation will unify and standardise data protection policies, shoring up weak spots and creating a strong base for personal data protection. GDPR provides a single set of rules for all member states to follow.

It includes (but is not limited to) mandatory security notifications, new rules around user consent, a clearer definition of what could be personal data and greater rights for people to access and request deletion of the information companies hold on them.

Failure to conform to GDPR legislation could result in hefty fines. Under the Data Protection ACT security breaches could result in fines of up to £500,000. Under GDPR, this will increase to a maximum of €20 million or 4% of annual global turnover.

Does Brexit affect this?

Brexit is unlikely to influence the need for UK businesses to adhere to GDPR for the following reasons:

  • The UK Government voted for GDPR and has expressed an interest in passing equivalent legislation following the UK's departure from the EU (the opposition has expressed similar sentiments).
  • The new GDPR regulations stipulate that business's handling the data of EU citizens (regardless of the business's location) must adhere to GDPR or face penalisation.
  • The UK formally leaves the European Union on the 29th of March 2019, meaning that even without the two above reasons, from 25th May 2018 - 29th March 2019 UK business's will remain under the jurisdiction of EU Law.

Areas of Your Business Affected by GDPR

The mistake a lot of businesses are making is assuming that GDPR will only really affect the IT department and that it is just about Data Encryption.    

The primary objective of GDPR is to strengthen security and privacy protection for individuals. The key to this will be documentation and processes. In fact, there are 5 key areas of every business that will be impacted by GDPR:

Finance

GDPR will hugely influence the way accounting and financial processes function within a business.

Huge amounts of confidential data pass through this department every day, so you need to be sure all your systems and policies are bulletproof. Because of the volume of data at risk, GDPR will impose heavy penalties on businesses that fail to guard their financial data adequately.

Legal

One of the most important areas to be affected is the legal department. It will be important to ensure that the business has an up-to-date Data Protection Policy and that privacy notices are current and available on the company website.

There are many different changes that will need to be made to contracts, terms and conditions, policy documents throughout the business to ensure the consent rules are being met. This also means that the legal department will have to review and possibly renegotiate contracts to meet this requirement.

HR

GDPR will not only impact the way the business works, but it will also improve the rights of all employees too, giving them increased safety, security and control over their personal data.

Everyone in the HR department needs to be updating contracts, ensuring that everyone understands their new rights and implementing them. There will also be a need for clear policies specifying who sees what data and who can touch it.

Sales & Marketing

Sales and marketing departments are the front line when it comes to dealing with customer data.

They are usually responsible for the collection of data, so the consent rules need to be carefully followed. Sales and marketing need to make sure that their teams are addressing customers who have opted in or given their direct consent to receive it.

IT

And of course, the IT department is the first line of defence for all this data.

The IT department is the foundation for the GDPR framework.

Key elements:

The right to access

Under GDPR, customers of any business or organisation will have the right to access any personal information held about them. The definition of personal data easily covers the simplest records that relate, even indirectly, to customers, clients, staff, pupils or any other record relating to an individual.

They can also ask to be "forgotten" if they withdraw consent for their data to be used, which means companies will have to securely delete their data

Faster reporting

Under GDPR rules, companies will have a smaller window for reporting data breaches to their customers and the authorities. Any security breach likely to result in "a risk for the rights and freedoms of individuals" must be reported to the national supervisory authority of serious data breaches within three days (if feasible within 24 hours). Data processors will also have to immediately inform their clients (the data controllers) after becoming aware of a data breach. This will require businesses to have the technologies and processes in place that will enable them to detect and respond to a data breach.

PII data

The definition of PII data (Personally Identifiable Information) is being expanded under GDPR to include IP addresses, genetic information (DNA), social media posts, photos and more. This means that parts of IT that have been unaffected by data protection laws in the past will need to be reassessed to comply with the new regulation.

Opt-in, not out

Companies will no longer be able to use pre-ticked or opt-out options to gain data consent from customers. A clear, simple, positive opt-in tick-box must be used, and it will need to be clear about how an individual’s data will be used.   

Data protection by design and by default.

Data protection by design and data protection by default are how essential elements in EU data production rules.  Data protection safeguards will be built into products and services from the earliest stages of development, and privacy-friendly default settings will be the norm.

The GDPR expands liability beyond data controllers

Previously only data controllers were considered responsible for data processing activities, but the GDPR extends liability to all organisations that touch personal data.  Even organisations that are purely service providers that work with personal data will need to comply with rules such as data minimisation.

Financial Services
Business & Professional Services
Medical Services
Consumer Services
Oil & Gas Mining