The General Data Protection Regulation - 25th May 2018
The EU's General Data Protection Regulation (GDPR) comes into effect on 25th May 2018. It greatly increases the scope and requirements of current data protection legislation, and it applies to every business that may hold personal data on EU nationals.
It defines personal data as any information "relating to an identified or identifiable natural person", and has these key provisions;
- The right for EU citizens to access, correct, transfer or delete their personal information if it is held on your systems.
- The requirement for you to notify authorities and customers within 72 hours of any breach affecting their data.
- Fines of up to 4% of global annual turnover (or €20 million, whichever is higher) for the most serious violations.
- The requirement for citizens to give explicit consent for you to hold their data, and for you to store this consent.
This final point applies to data already held. If you have vast stores of historic data, it's time to evaluate whether you really need to keep it.
The GDPR applies to any organisation offering goods or services within the EU. The scope is wide ranging, and even includes data collected in cookies from your website, if that data is used for monitoring the behaviour of EU citizens while they access your website. It applies globally, and will apply to UK businesses even after Brexit, and businesses around the world are now making preparations to comply with the regulations.
Key points in ensuring you comply with the GDPR;
- you must fully understand what personal data you hold, where the data is stored, and exactly who has access to it, from the moment you receive the information, to the moment it is deleted from your systems.
- you must have organisation-wide data protection policies, auditable record keeping, perform data protection impact assessments annually, and verify that any businesses you partner with are also compliant!
- you must have the capability to detect and report data breaches, and the processes in place to find, modify, and delete personal data when requested, all within prescribed time limits.
Technology improvements have meant that personal data became very cheap to hold store and process, so much so that many businesses have vast stores of it. That is changing. Personal data is becoming what is known as a "toxic asset", that is, the risks of holding and storing it are potentially very damaging to your business.
Think of it in the terms of toxicity, and you'll be on the right path. Do you need that personal data in order for your business to function? If not, then make sure you don't have it. If you do, then you need to make sure that it is properly protected.
I can help you achieve GDPR compliance. Please contact me for an initial informal assessment, which will look at your existing approach to data protection and information security. I'll provide you with a simple checklist of recommended actions, to point you in the right direction.
Contact Your Security Manager today to discuss how we can work together.