GDPR is coming
Written by Rose Miller on 27/04/2018
GDPR (or General Data Protection Regulation) is a wide-reaching piece of legislation from the EU that’s set to radically change our approach to privacy and data protection – and we’re now just shy of a month from when it comes into force. The legislation was agreed as far back as 2016, giving businesses two long years in which to become compliant. First off, the scary stuff: failing to comply can result in businesses being fined up to 4% of their annual turnover (or 20 million Euros, whichever’s greater). With businesses tending to want to keep as much money as possible, it’s surprising then, that many businesses are still woefully unprepared for this change.
What about Brexit?
First thing to understand about GDPR, is that it’s not limited to EU Member States, but rather applies to anyone who collects and/or processes data on an EU citizen. In this ever connected and globalised world we live in, that can apply to just about anybody. The Government has also specifically said that GDPR will apply to the UK regardless of Brexit. So GDPR isn’t just going to vanish.
I don’t take payment details
This is a common misconception: GDPR is not solely concerned with things like credit card details, it is concerned by any data that can be used to ‘personally identify an individual’. These means it applies to all commercial businesses (for example, every business holds records of its staff) as well as schools, hospitals, clubs and just about any organisation that holds personal data.
This terminology is a bit confusing
GDPR applies to data collectors and data processors in order to protect the rights of data subjects. The data subject is easy enough to define: in short, it’s the fleshy human who can be identified by the data in question. A data collector is an organisation that decides the method of and the reason behind collecting and processing data. The data processor is the entity that actually does the processing. It is possible to be both the data controller and the processor, but it is often the case that the controller makes use of third-party processors.
So what do I need to do?
First of all, you need to reprimand yourself for leaving it so late, but hey, no minute is more productive than the last minute. Then you need to look at your current stance on data protection. A GDPR gap analysis is a good place to start. Such a service will point out exactly where your systems, processes and technology is falling short, which is the best way to start your compliance journey.
You need to familiarise yourself with the legal changes too, as there are around 90 Articles to the legislation (don’t worry, we won’t go into them here – no one has the patience for that). Some of the most drastic changes are to do with transparency, consent and the protection of data.
Tell me more about consent and transparency
Many of the changes ultimately come down to consent and transparency. Any business collecting and processing information must be upfront about their practices. Data subjects (see, we can use the fancy legal terms now), must actively ‘opt in’ to give consent to their data being stored and processed. This consent must be obtained in writing (for example in the acceptance of terms and conditions), and must be clearly stated in plain language. You must also make it clear that the subject has the right to withdraw consent at any time and the method by which they can do this.
You must also clearly state the purposes behind data collection, carry out due diligence in terms of selecting a reputable processor and maintain the highest level of security at all times.
If your business involves complying with various legal or Government-mandated obligations, or if you’re wondering how you can provide services to your customers if they withdraw consent – don’t worry, they’ve thought of this. For example, if you must keep employment records for a certain amount of years, or if you need a customer’s personal details to provide the service they signed up for, then that’s all provisioned for in GDPR.
Especially when there’s a breach
A data breach is never good, and some companies try their hardest to downplay these events, or worse, they keep quiet and hope the problem goes away. If this sounds like you, you need to change your approach come the 25th of May 2018. You must report all breaches to the relevant body (the ICO in the UK’s case) within 72 hours of becoming aware of said breach. These events are likely to have an impact on your data subjects’ rights, so you must make sure you inform them too ‘without undue delay’.
Data protection officer
Certain companies will be legally obligated to appoint a data protection officer (DPO). This can be an in-house member of staff appointed specifically to the role, or it can also be a current member of staff assuming there is no conflict of interest. There is also secret option 3 (which isn’t a secret at all) of outsourcing the DPO role to an external company. This gives companies more expertise for less cost, so it’s becoming increasingly popular.
Many companies will find that, though they are not legally obligated to appoint a DPO, it’s extremely beneficial to have one. A DPO will become the point of contact for all things data protection. They can monitor and oversee all internal processes and security systems to ensure the highest level of data protection is being offered, liaise with relevant organisations and individuals and generally ensure your ongoing compliance.
Of course, there’s a lot more to it
There is of course a lot more to the GDPR than we can cover in this blog. It’s worth reading all the Articles yourself to fully understand it. However, for a general overview of the GDPR, think of it as a mix of technical security requirements, information and documentation requirements and internal processes.
I don’t want to be that guy who points out that we have had two years to become compliant, but I already have been him, so there is that. However, the ICO are not bureaucratic predators stalking their hunting grounds awaiting some non-complaint beast to feast upon. In fact, they themselves have stated that they’re unlikely to immediately reach for the hefty fines if a business is showing signs of working towards compliance.
Whilst it would be wrong to assume we’ll have a grace period following implementation, it’s also worth noting that there are no legal cases concerning the GPDR available for regulators to make judgement calls. The likelihood is, there’ll be some level of uncertainty to begin with.
ISO 27001 and 9001 certified
Tigerscheme qualified testers
PCI DSS v3.2 Level 1
24/7 on-site Security
Get a quote today
If you’re interested in our services, get a free, no obligation quote today by filling out the form below.