The General Data Protection Regulation - 25th May 2018
The EU's General Data Protection Regulation (GDPR) comes into force in just 2 months and 7 days time, on 25th May.
Do not panic! It might come as a surprise to see this bit of advice, but no one is going to knock on your door on May 25th demanding proof of compliance, just as no one has ever asked for more than proof of your DPA registration.
Now I am not suggesting you do nothing and foget about it, but le'ts put some of the scary headlines into context. The DPA has been in force for 20 years, and the ICO presently has the power to fine organisations upto £500,000 for breaches. Last year (16/17) it processed over 17000 such cases and just 16 of these resulted in a fine, none of which was anywhere near the maximum. Unless you are utterly incompitent at (mis)handling vast quantities of personal data, you are extremely unlikely to be landed with a €20m fine!
I'm sure you already do your best to comply with the DPA, so how does the GDPR differ from it? Primarily it defines personal data as any information "relating to an identified or identifiable natural person", and has these key provisions;
- The right for EU citizens to access, correct, transfer or delete their personal information if it is held on your systems.
- It applies globally, to any organisation offering goods or services within the EU, and will apply to UK businesses even after Brexit.
- The requirement for you to notify authorities and customers within 72 hours of the discovery of a breach affecting their data.
- Fines of up to 4% of global annual turnover (or €20 million, whichever is higher) for the most serious violations.
- The requirement for citizens to give explicit consent for you to hold their data (where you do not have other legal reasons to have it), and for you to store this consent.
Key points in ensuring you comply with the GDPR;
- you must fully understand what personal data you hold, where the data is stored, and who has access to it, from the moment you receive the information, to the moment it is deleted from your systems.
- you must have organisation-wide data protection policies, auditable record keeping, perform data protection impact assessments on particular types of data, and verify that any businesses you partner with are also compliant.
- you must have the capability to detect and report data breaches, and the processes in place to find, modify, and delete personal data when requested, all within prescribed time limits.
Technology improvements have meant that personal data became very cheap to hold store and process, so much so that many businesses have vast stores of it. That is changing. Personal data is becoming what is known as a "toxic asset", that is, the risks of holding and storing it are potentially very damaging to your business.
Think of it in the terms of toxicity, and you'll be on the right path. Do you need that personal data in order for your business to function? If not, then remove it. If you do need it, consider anonymising it. If you really need that personal data, then you need to make sure that it is properly protected, and should consider encrypting it.
Do not panic! I can help you achieve GDPR compliance. Please contact me for an initial informal assessment, which will look at your existing approach to data protection and information security. I'll provide you with a simple checklist of recommended actions, to point you in the right direction.
Contact Your Security Manager today to discuss how we can work together.