The General Data Protection Regulation (GDPR)
The Data Protection Act is changing…. and the new General Data Protection Regulation (GDPR) is coming. The new relations are clamping down on personal data breaches with hefty fines for organisations which fail to adequately protect the data they hold.
Do you hold personal information? Currently registered as a data controller? Get ready for the new legislation.
The GDPR will have the power to issue fines up to 4% of global turnover (not profit!) or, for organisations without turnover, fines of up to 20 million pounds! These new powers which span across Europe really mean it’s time to secure data and protect against breaches.
Find out the key components of the GDPR and how to protect your organisation below:
What is personal data?
GDPR defines a much wider area in terms of what counts as personal data.
Under these new regulations, any data that could identify an individual such as genetic, mental, cultural, economic or social information will count as personal data. This includes IP addresses and Cookies.
Does your organisation do payroll? Store employee bank details? Keep customer information? – Yes, this is included.
Do subjects need to give consent to have data held?
Under the new regulations your organisation MUST be able to PROVE clear and affirmative consent to process personal data. This means that your organisation must remember to explain clearly, and precisely what personal data they are collecting and how it will be processed and used. Your organisation will therefore need to make sure that this step is built into every occurrence of personal data collection without fail and that the proof is stored and can be accessed quickly if necessary.
In simple terms; Consent to store personal information must be clear and obvious. A little like opting into an email newsletter…. subjects must opt in and be aware rather than have the consent hidden within T’s and C’s
If subjects have to opt-in, can they opt-out?
Yes. The GDPR defines ‘the right to be forgotten’
Your organisation must not hold data about a person for longer than is necessary, must not change the use of the data from the purpose for which it was originally collected (when consent was given for that specific purpose), and must delete any data about a subject at the request of that data subject. This gives subjects the right to opt out completely i.e. ‘the right to be forgotten’.
What happens if we have a data breach?
Your organisation will need to have the capability and systems in place to enable it to monitor for, identify and notify the Information Commissioner’s Office (ICO) of a data breach within 72 hours of discovering it.
Fines of 2% of global turnover can be issued if a company is aware of a data breach and does not notify the ICO within 72 hours!
What is classed as a data breach?
Anything where sensitive or personal data is exposed.
This can be as simple as a laptop containing personal data being left on a bus or stolen from a house.
Are you an organisation who takes their nightly backup home on a tape or USB disk? – If this is lost (and not encrypted) the ICO will need to be notified within 72 hours.
We're not based in the UK - Does this apply?
The GDPR is EU legislation. It applies to any organisation storing personal information on any EU citizen.
Even if your organisation is located in the USA, if data is held on EU people, it must comply with the same rules
Legacy systems are used in our organisation - What about them?
Your software, your systems and processes must be designed around compliance with the principles of data protection every step of the way. Not just security in transit, security at rest must also be implemented.
This applies to both new and old systems. Systems must be re-visited to ensure it captures information, transfers information and stores information in a secure manor.