What Is GDPR?
IT Security does not make your company GDPR Compliant!
GDPR stands for General Data Protection Regulations, it’s essentially an EU regulation designed to expand the rights of the individual in relation to their data, and increase the accountability of those who control and process data.
The regulation reaches outside of the EU to any organisation that handles EU citizen data, regardless of their location in the world. We are currently partway through a transition period that allowed businesses to get their house in order before the regulation comes into effect on the 25 of May 2018.
The regulation will unify and standardise data protection policies, shoring up weak spots and creating a strong base for personal data protection. GDPR provides a single set of rules for all member states to follow.
It includes (but is not limited to) mandatory security notifications, new rules around user consent, a clearer definition of what could be personal data and greater rights for people to access and request deletion of the information companies hold on them.
Failure to conform to GDPR legislation could result in hefty fines. Under the Data Protection ACT security breaches could result in fines of up to £500,000. Under GDPR, this will increase to a maximum of €20 million or 4% of annual global turnover.
Does Brexit affect this?
Brexit is unlikely to influence the need for UK businesses to adhere to GDPR for the following reasons:
- The UK Government voted for GDPR and has expressed an interest in passing equivalent legislation following the UK's departure from the EU (the opposition has expressed similar sentiments).
- The new GDPR regulations stipulate that business's handling the data of EU citizens (regardless of the business's location) must adhere to GDPR or face penalisation.
- The UK formally leaves the European Union on the 29th of March 2019, meaning that even without the two above reasons, from 25th May 2018 - 29th March 2019 UK business's will remain under the jurisdiction of EU Law.
Areas of Your Business Affected by GDPR
The mistake a lot of businesses are making is assuming that GDPR will only really affect the IT department and that it is just about Data Encryption.
The primary objective of GDPR is to strengthen security and privacy protection for individuals. The key to this will be documentation and processes. In fact, there are 5 key areas of every business that will be impacted by GDPR:
GDPR will hugely influence the way accounting and financial processes function within a business.
One of the most important areas to be affected is the legal department. It will be important to ensure that the business has an up-to-date Data Protection Policy and that privacy notices are current and available on the company website.
GDPR will not only impact the way the business works, but it will also improve the rights of all employees too, giving them increased safety, security and control over their personal data.
Sales & Marketing
Sales and marketing departments are the front line when it comes to dealing with customer data.
And of course, the IT department is the first line of defence for all this data.
The right to access
Under GDPR, customers of any business or organisation will have the right to access any personal information held about them. The definition of personal data easily covers the simplest records that relate, even indirectly, to customers, clients, staff, pupils or any other record relating to an individual.
They can also ask to be "forgotten" if they withdraw consent for their data to be used, which means companies will have to securely delete their data
Under GDPR rules, companies will have a smaller window for reporting data breaches to their customers and the authorities. Any security breach likely to result in "a risk for the rights and freedoms of individuals" must be reported to the national supervisory authority of serious data breaches within three days (if feasible within 24 hours). Data processors will also have to immediately inform their clients (the data controllers) after becoming aware of a data breach. This will require businesses to have the technologies and processes in place that will enable them to detect and respond to a data breach.
The definition of PII data (Personally Identifiable Information) is being expanded under GDPR to include IP addresses, genetic information (DNA), social media posts, photos and more. This means that parts of IT that have been unaffected by data protection laws in the past will need to be reassessed to comply with the new regulation.
Opt-in, not out
Companies will no longer be able to use pre-ticked or opt-out options to gain data consent from customers. A clear, simple, positive opt-in tick-box must be used, and it will need to be clear about how an individual’s data will be used.
Data protection by design and by default.
Data protection by design and data protection by default are how essential elements in EU data production rules. Data protection safeguards will be built into products and services from the earliest stages of development, and privacy-friendly default settings will be the norm.
The GDPR expands liability beyond data controllers
Previously only data controllers were considered responsible for data processing activities, but the GDPR extends liability to all organisations that touch personal data. Even organisations that are purely service providers that work with personal data will need to comply with rules such as data minimisation.