The General Data Protection Regulation
Do not panic!
It might come as a surprise to see this bit of advice, but no official is going to knock on your door demanding proof of compliance with the GDPR, just as no one from the government ever asked for more than proof of your registration with the Information Commissioner's Office (ICO) as required under The Data Protection Act (DPA)*. However, it's now several years since the GDPR passed into law and you should be familiar with the legislation, have the neccessary protocols in place, and be keeping evidence of compliance in the event that something occurs (like a breach) and you are called upon to demonstrate your compliance efforts. Doubtless your clients will be asking that you demonstrate compliance in some way, as is their duty under the legislation.
Now I am not suggesting you do nothing and just forget about it, this is a legal requirement that all businesses must comply with, but let's put some of the scary headlines into context. The previous DPA was in force for 20 years, and the ICO had the power to fine organisations up to £500,000 for breaches. In the 2016/17 financial year the ICO processed over 17000 breach cases and just 16 of these resulted in a fine. None of these fines reached anywhere near the maximum. The new Data Protection Act 2018 brings in to law the details set out in the GDPR, in which there is provision for a maximum of €20m fine! The ICO is unlikely to be handling down fines of this magnitude for any but the most severe breaches. For example; The ICO recently issued a provisional view to fine Clearview AI Inc over £17 million. The reality for most small businesses is that they are extremely unlikely to be landed with such a cripling fine, if they are fined at all, unless they are utterly incompitent at handling vast quantities of personal data, or deliberately ignore the requirements of the regulations. That said, the fines are gradually rising and the past year has seen records broken across the EU with GDPR sanctions in 2021 exceeding €1 billion.
I'm sure you already did your best to comply with the old DPA, so how has the GDPR changed the new legislation?
Primarily it defines personal data as any information "relating to an identified or identifiable natural person", and has these key provisions;
- The right for individuals to access, correct, transfer or delete their personal information if it is held on your systems.
- The requirement for you to notify authorities and customers within 72 hours of the discovery of a breach affecting their data.
- Fines of up to 4% of global annual turnover (or €20 million, whichever is higher) for the most serious violations.
- The requirement for citizens to give explicit consent for you to hold their data (where you do not have other legal reasons to have it), and for you to store this consent.
- The GDPR applies globally, to any organisation offering goods or services within the EU, so still applies to UK businesses with EU customers even after Brexit.
- The GDPR is enshrined into UK legislation so applies to UK businesses even if it has no EU cutomers.
Key points in ensuring you comply with the GDPR;
- you must fully understand what personal data you hold, where the data is stored, and who has access to it, from the moment you receive the information, to the moment it is deleted from your systems.
- you must have organisation-wide data protection policies, auditable record keeping, perform data protection impact assessments on particular types of data, and verify that any businesses you partner with are also compliant.
- you must have the capability to detect and report data breaches, and the processes in place to find, modify, and delete personal data when requested, all within prescribed time limits.
Technology improvements have meant that personal data became very cheap to hold store and process, so much so that many businesses have vast stores of it. That is changing. Personal data is becoming what is known as a "toxic asset", that is, the risks of holding and storing it are potentially very damaging to your business.
Think of it in the terms of toxicity, and you'll be on the right path. Do you need that personal data in order for your business to function? If not, then remove it. If you do need it, consider anonymising it. If you really need that personal data, then you need to make sure that it is properly protected, and should consider encrypting it.
Do not panic!
I can help you achieve and maintain your GDPR compliance. Please contact me for an initial informal assessment, which will look at your existing approach to data protection and information security. I'll provide you with a simple checklist of recommended actions, to point you in the right direction.
Contact Your Security Manager today to discuss how we can work together.
* The ICO’s register of data controllers is a publicly accessible register. I’m always amazed at how few local businesses appear on it.