The EU’s General Data Protection Regulation (GDPR) is coming into force on May 25th 2018. Are you savvy with the new rules, and is your business ready?
At the end of May, the UK Data Protection Act will be superseded by new legislation: the General Data Protection Regulation (GDPR).
It aims to enhance the rights of individuals, giving them more autonomy over how their data is collected, stored and processed, and setting down mandatory guidelines for how organisations must account for the data they store.
GDPR: what you need to know
Compliance is mandatory. Your organisation must be able to demonstrate compliance in line with the tenets of data protection.
Compliance will not be affected by Brexit, whatever the final outcome. It will affect all EU organisations, even if they are not EU citizens, as well as any organisation located outside the EU but that offer goods or services to EU residents, tracks their behaviour or deals with their personal data.
If you are a service provider and process data on behalf of an organisation – you do their payroll, for example – you may also be subject to specific compliance guidelines.
It demands a change in culture, not just practice. Your organisation must do more than simply tick the requisite boxes. GDPR demands a holistic approach: your business must adhere to a culture where data protection and respect for individual privacy is ingrained; it should be able to demonstrate transparency at every level and point to appropriate policies and practices when it comes to protecting personal data.
Expect tighter controls on special categories of data. Under current legislation, organisations are subject to strict controls on how they process personal data including names; addresses, including email and IP addresses; photos; location data; cookies and profiling.
There are also special categories of data, which include information on race; religion; political persuasion; union membership; sexual orientation and health.
The GDPR will bring in two new special categories: biometric and genetic data.
You should have been protecting your data all along… Although most organisations would struggle to pinpoint precisely what they have and where it is stored.
GDPR is intended to cut down on mitigating loopholes and create better enforcement by implementing larger fines.
It applies to online and offline data. This means that long-forgotten paper records are just as pertinent as brand new software. It may initially seem an overwhelming task to track and collate it all but take heart from the fact GDPR is very specific in its scope, applying to data that identifies individuals and has a potential impact on them.
6 steps to GDPR compliance
1 Familiarise: Get to grips with the legal framework then consult a data protection officer (DPO) to understand any standards that may be unique to your business.
2. Record: Keep a diary, or Data Register, of how you implement your compliance. Should you come under scrutiny from the Data Protection Alliance (DPA) – the board tasked with ensuring businesses comply – you will be able to present your Data Register as proof. Failure to present this may result in a fine of anywhere from 2-4 per cent fine of your business’ annual turnover.
3. Classify: Start by categorising the data you possess, highlighting Personal Identifiable Information (PII) relating to EU citizens. Log where it is stored, who can access it, with whom it’s shared and update relevant contact information. By doing this, you will be able to see what data is the most important to protect, based on its classification.
4. Evaluate: Starting with your most sensitive data, determine whether your business still needs this information, and why. Question how it is being produced and processed. The rights of the individual are paramount under GDPR, so anything that identifies individuals to third parties, including hackers, needs to be kept in stringent security – what secure systems do you have in place? How are you keeping it anonymous within your own company?
5. Assessment: All additional risk factors must be assessed and documented. Find your company’s weak spots and record minutely in your Data Register the steps you are taking to bolster them.
6. Revise/repeat: Based on the outcomes of your first assessment, refine your process, address any outstanding issues and apply the same strategies to all data going forward.Back to Blog