Are you preparing your business for the EU General Data Protection Regulation (GDPR)?
Currently the UK relies on the Data Protection Act 1998, but from the 25 May 2018, EU GDPR will apply, replacing current legislation. GDPR was designed to strengthen and unify data protection for all individuals within the EU, it covers any data that could feasibly be used to identify an individual. The UK will need to comply regardless of the Brexit negotiations.
Many of the current Data Protection Act (DPA) concepts and principles will remain much the same. If you currently comply with this, then it is a good starting point for you to build upon. However, there are significant changes and you will need to ensure that your business complies, or you could face a significant fine (up to 4% of global annual turnover or £17 million, whichever is higher).
Businesses must protect personal data and privacy of EU citizens, it will also regulate the exportation of personal data outside of the EU. There will be the same level of protection for individual's IP addresses or cookie data as for name and address.
Data processor and data controller
GDPR puts the responsibility for a breach on the:
Data processor - those responsible for processing personal data on behalf of a controller, this will include any outsourcing company or processing partner such as a cloud provider
and the
Data controller - the owner of the data, an individual or business who determines the purpose and means of processing personal data, who collects, stores and uses this personal data.
Organisations may have a dual role as a processor and controller, for example storing employee data and providing services which require customer data. At the very least an organisation is a controller in terms of HR records.
Data breach
Organisations need to plan for any kind of data breach. To be compliant with GDPR, there is a requirement to notify any relevant parties of a breach within 72 hours of it occuring. With many breaches going undetected for much longer periods, sometimes weeks or even months, establishing when a breach has happened in an adequate and timely manner will be imperative.
You will need to be able to not only identify a breach and when it happened, but also know and understand who it has affected from your data and the severity of the impact. Early detection, knowledge of any attacks and the ability to provide evidence supporting audit and compliance will be essential for an organisation. This is perhaps why many organisations are using a third party to help them detect these threats before they occur or at least discover them early.
Planning for GDPR
It is vital that you plan your approach to GDPR compliance and that you have buy in from key people in your organisation. If you haven’t already started, then start planning now. New procedures will need to be put in place and an audit and review of all personal data stored should be carried out.
Please visit the ICO website for advice and information or contact us.