Author: Graham Barnes
GDPR stands for: General Data Protection Regulation and it’s a new EU law which will come into force on 25 May 2018. The regulations will change the way companies are able to store, secure and manage personal data. It replaces the current Data Protection Act and means all EU countries will be following the same data regulations going forward.
There are two main issues which led to the creation of the GDPR. The first one is the growth in internet and cloud technology, which are not covered by the current legislation. The GDPR aims to protect people’s personal data across the new digital world.
The second issue was that businesses across the EU all had different data protection laws which were country-led. This new regulation brings all the countries in line, making it much simpler for businesses.
Yes. It applies to all businesses but what you need to do to implement it will depend on the size of your company and how much you use data – there is plenty of guidance out there available – the key is to make sure you are prepared and ready so that your company is compliant when the regulations come into force.
Basically, if your organisation deals with and manages personal data on a large scale, you will need to employ a data protection officer and they will be in charge of ensuring and monitoring the business compliance with GDPR and will be the main point of contact to the data protection authority.
Firstly, check out the advice to see if you need to employ a data protection officer for your business and if you do, employ somebody ASAP. You then need to check the current status of all your data protection policies, particularly around consent as this is the biggest change coming in.
Secondly make sure the way you are holding and storing personal data is safe and secure and protected. The consequences of data breaches and poor data security are higher under GDPR than previously.
Thirdly, make sure you have processes and procedures in place for handling any kind of data security breach, should one occur. If you work with third party suppliers who deal with your data, you need to make sure they are compliant with GDPR as well.
There are a couple of key differences – firstly personal data can only be processed if it has been obtained lawfully, for a specific purpose and using active affirmed consent by the data subject. Organisations won’t be able to use tick boxes where people have to tick to say they don’t want their data used any more. The person has to actively give you their consent.
Once the data has been used for the specific purpose, it has to be deleted and cannot then be stored or used for other purposes. Any breaches will lead to large fines.
The GDPR has increased the definition of personal data – it now includes IP addresses, mental health information, economic and cultural information as well as name and home address. Individuals have the right to ask for their data to be deleted from your system at any time as well.
You must report any data breach within 72 hours of becoming aware of it, to the Information Commissioner’s Office. You must also tell all the people affected by the breach, before you call the ICO. Failure to meet the 72 hour deadline could result in a large fine. Also, if you fail to follow the principles for data processing, you will also face a huge fine potentially.
If you want to check out your organisation’s responsibility under the new GDPR, and you need guidance to assess what you next moves should be to ensure you are compliant with the new rules, before they come in – have a look at the ICO Website. The website has a free online checker which will tell you your organisation’s responsibility under GDPR and there is a 12 step plan of what you should be doing now to ensure your compliance in May.
If you're unsure of your IT requirements, or how to upgrade your existing system, book in for a free IT health check. We'll assess all of your systems and plans and come up with a solution for your individual IT needs.