So what is GDPR?
General Data Protective Regulations (GDPR) are new rules that will replace all existing national and EU data protection legislation in all 28 EU states. For companies based in the UK, GDPR replaces the Data Protection Act (1998) and the Directive 2002/58/EC on Privacy and Electronic Communications.
These new regulations will be enacted 10 months before we leave the EU, effectively when Article 50 is triggered and will be critical for any organisation continuing to trade outside the UK and particularly within the EU. If Article 50 is delayed, GDPR will take effect from 1 April 2018.
GDPR is designed to “give citizens back the control of their personal data”.
How will this affect the way we store data?
GDPR has been designed to make sure businesses only collect data for “legitimate, explicit and specified” reasons. This means that companies who are in control of sensitive data must ensure the following principles are enacted throughout their firm.
- All personal data must be processed, lawfully and transparently.
- The scope of the data must be limited to only what a firm needs for processing fields that are relevant and adequate to your business.
- All personal data must be kept up to date and accurate.
- Personal data must be used under “maximum security” conditions whilst being processed.
- Personal data must be cared for so that the identity of an individual is only available during processing and only when permission has been granted.
- All personal data should be deleted if requested complying with “The right to be forgotten”
- Complaints procedures must be clearly outlined and free.
- Data held on minors under the age of 13 can only be hold with the explicit permission of their legal guardians.
What are the penalties for failing to comply with GDPR?
Your firm’s duty of care will be to enact a data protection policy across all levels of your business. The scenarios below will give you an idea as to how GDPR will be enforced;
- If you are a victim of a data breach, you must inform the Information Commissioners Office (ICO).
- You will also need to contact each client with an individual assessment on how their data or privacy has been impacted.
- Every breach must be recorded.
- Any ICO visit to your premises will require you to provide substantial evidence you have done everything in your power to prevent any breach.
Any company found in breach of GDPR can expect to be hit with a fairly hefty penalty. To be precise, if the ICO is not convinced that you did everything in your power to prevent a breach or follow GDPR rules, you will be fined up to 4% of you overall turnover. For an SME this could be a huge blow. A fine of 4% for a company with a turnover of £1m eqautes to a fine of £40,000 which could be the difference between making a profit or not and your survival aa a going concern.
How can I comply with GDPR?
We have already seen a tough stance taken by the Government on recent law changes relating to the use of a handheld device whilst behind the wheel of a vehicle. GDPR data breaches I’m sure will be dealt with in the same manner, especially with cyber-crime on the rise.
Essentially, two questions need to be asked:
- Is all the information we store held legitimately?
- Who has access to the various data we store?
If the above questions resulted in an answer that prsents a risk that your data could be accessed or dowloaded, then perhaps it is time to take a closer look at each database your company has filed and implement more stringent controls. This also includes all those spreadsheets and CSV exports you use for email marketing and direct mail purposes.
To comply with GDPR you will need to complete the following;
- Understand where your data is stored and how if possible it can be centralised.
- Control data access by adding stronger password controls and create an audit trail of who has accessed, modified or added any data.
- Consider the use of encryption to safely send data and prevent unauthorised users accessing sensitive information.
- Take a close look at all fields within all databases the business hold and ask yourself do they comply with test of being “relevant” and “adequate”. If the answer is no, do yourself a favour and permanently delete them.
For those that hadn’t heard of GDPR or had little knowledge prior to reading this article, I hope this has given you an insight into what you can expect for the future of data protection policies.
For more information you can visit the ICO’s website https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/