Is your business ready for the new data protection law?
25th May 2018 is GDPR (General Data Protection Regulation) day – the moment when much stricter protection of personal data becomes a legal obligation for all UK (and other EU) businesses, organisations and educational institutions wishing to do business as usual with EU countries. Until then we and our neighbours have an exciting, one-off opportunity to spring-clean our information security processes as well as our general IT systems to (a) ensure we comply with new EU laws governing personal data security and (b) plug any other gaps in our internet security systems against cybercrime in all its forms.
Rapidly advancing technology has reshaped our working lives in the past 25 years. So many companies and institutions now operate across borders in a digital economy where growing mountains of personal data are exchanged every second. The EU’s advisory Data Protection Directive in 1995 encouraged member states to draw up their own, often diverse sets of laws. But increasing online traffic volumes, different legal systems and the rise of international cybercrime and terrorism have slowly eroded people’s trust in data security. Data protection now requires a one-fits-all approach to bring all laws into line, hence ‘GDPR’. It’s mandatory legislation designed to maintain that vital element of trust – the essential pre-condition before any of us will share our personal data to access products and services.
How does GDPR help individual citizens?
It aims to return full control of personal data belonging to EU citizens and residents, giving them various rights on how their personal data may be used, including:
- Having access to your data held by an organisation at any time
- Having inaccuracies in your data corrected and receiving a firm’s rapid response to your request
- Having your data erased if a business cannot legally justify using it – i.e. ‘the right to be forgotten’ – and preventing use of your data
GDPR is based on seven guiding principles that the ICO and all other EU regulatory bodies must follow when receiving reports of a breach.
LAWFULNESS, FAIRNESS AND TRANSPARENCY
Promotes controllers and processors to be accountable at all stages of processing, using and storing/erasing personal data
INTEGRITY AND CONFIDENTIALITY
Ensures a company is protecting your information and its integrity/use
Does a company have a lawful purpose and have your consent to use your data for a specific purpose? Users may no longer use it for any other related reasons
Expects companies to have a data retention policy that states how long data will be kept
Ensures company data controllers check the information they hold on you is accurate and up to date, which if not should be deleted
Minimises the amount of data that a company holds
… and what is expected of businesses using their clients’ personal data?
Know your data . . . First find out and record what data you are collecting, processing and storing before assessing risks
Assess the risk . . . Weigh up the risks of processing clients’ personal data and then implement the necessary policies, procedures and controls to set an in-house information security system and then train staff to be aware of compliance rules. A key task is undertaking data protection impact assessments before using technology to organise and process data
Prove your compliance . . . all businesses and organisations have to keep strict records of their data processing activities and in-house policies governing these
Know what your customers want . . . give them peace of mind that the data you are processing and storing on them is treated with utmost confidentiality. GDPR law insists on evidence of a client’s crystal clear, positive consent through a deliberate ‘opt in’ – gone are the days of optional opt-out tick boxes! Children, particularly with social media, need special parental consent to opt in
Communicate . . . you are expected to inform individuals in plain language about your use of their data, telling them their legal rights, your contact details, why you are using their data, who you share it with, and how you protect it
Don’t dawdle in admitting a data breach . . . you have just 72 hours to report any breach you find to the ICO if it affects personal data you control
Who does it affect?
All businesses, organisations and educational bodies receiving, processing and storing personal details of individuals (e.g. customers, clients, users, students, payroll members, suppliers, partners, etc). Data includes any detail that identifies someone directly or indirectly, embracing everything from email addresses, intranets and social media through to company servers physically based on the premises, elsewhere in Europe or in the cloud. You have to consider your whole data capture, processing and storage arrangements
Act now to avoid potential penalties later
GDPR legislation is being subsumed into the UK’s forthcoming Data Protection Bill that replaces the previous 1998 Act and is likely to reflect the tough GDPR penalties for gross infringements – fines of up to 4% of a company’s world turnover or €20m (£18.3m) for violating an individual’s rights, and fines of up to 2% or €10m (£9.2m) for key mistakes in internal record-keeping and breach notification
How we can help you get your house in order?
We are Hertfordshire’s first official certification body for IASME, one of the national schemes used by the government in certifying small to medium size businesses as GDPR compliant. We are thus well-qualified to take you through the compliance process step by step. We will help you organise a smooth, non-disruptive implementation by advising you on how to remedy any weak points in your initial risk assessment. This will take into account GDPR requirements.
Alternatively, you may want to consider the less complex CyberEssentials qualification on its own (which is also a key part towards gaining full compliance through IASME). CyberEssentials focuses specifically on the technology side, and is essentially a security check on all the PCs, hardware and information assets within your company network. Are you, for instance, updating or patching all your technological assets within 14 days? IASME, meanwhile, ranges well beyond physical office networks to consider company responses to the wider issues of governance and compliance.
As a special bonus, all organisations with a turnover below £20m that gain either IASME or CyberEssentials certifications will qualify for free indemnity insurance up to £25,000.