Just one of a range of consultancy services to keep you compliant
What is GDPR (General Data Protection Regulation)?
The General Data Protection Regulation (GDPR) is a European Parliament, Council of the European Union and European Commission regulation to strengthen and unify data protection for all individuals within the European Union (EU).
Any company, no matter where they are in the world, working with information relating to EU citizens will have to comply with the requirements of the GDPR, making it the first global data protection law.
The main goal of the GDPR is to give individuals more control over their personal data, impose stricter rules on companies handling it and make sure companies embrace new technology to process the influx of data produced.
The GDPR considers any data that can be used to identify an individual as personal data. It includes, for the first time, things such as genetic, mental, cultural, economic or social information.
From now, almost all personal data will fall under the GDPR, making it difficult for organisations to avoid having to comply with its requirements.
Even post Brexit, it is highly likely that the entire regulation will be adopted; the alternative would be to try to draft a completely new one after it has already been enforced, leading to struggles with compatibility.
How we can help with GDPR
We can help you understand this rather complex regulation and assist you to approach compliance in the most efficient manner to suit your company.
Having the correct policies and associated documents in place is key for compliance, but one requirement that is often overlooked is having robust security measures in place. These need to meet Cyber Essentials or IASME standards at the minimum in order to adequately protect data.
The more security measures you implement and adhere to, the better you and your customers’ data will be protected. This means that the ICO could look upon you favourably in the event of a breach.
We can help you not only on the policy guidance side but on the technical side as well, making us the ideal partner to help you to build a coherent information security policy.
What you need to know about GDPR
When is the GDPR enforced?
The GDPR was made active on 14 April 2016 but, as a regulation, it will be enforced on 25 May 2018, at which point non-compliant organisations will face very heavy fines.
It’s a regulation rather than a directive and – make no mistake – it will be fiercely enforced by the Information Commissioner’s Office (ICO).
As a business owner, you really need to start right now if you are going to have all the documentation and procedures in place on time.
THIS COULD HAPPEN TO YOUR COMPANY
If you abuse or do not adequately protect The ICO could issue a penalty of up to €20 million or 4% of your global annual turnover, whichever is greater.
What do we advise
To avoid getting hit by those looming 4% fines is to get a proper “audited” IASME assessment. The accreditation covers Cyber Essentials & GDPR and most importantly the ambiguous security requirements that the GDPR eludes to like “adequate level of protection”
What the ICO say
After 25 May 2018 it’s the ICO that will be handing out the fines so here is a quote directly from them endorsing Cyber Essentials and the fact they would look favourably on those who use it as a proactive tool to control their risks!
“The Information Commissioner’s Office supports the Cyber Essentials scheme and encourages businesses to be assessed against it. Protecting personal data depends on good cyber security, and the threats and challenges are getting ever more sophisticated. All too often organisations fail at the basics. This scheme focuses on the core set of actions that businesses should be taking to protect themselves, their customers, and their brand. Cyber Essentials enables businesses to demonstrate that they are taking action to control the risks”
Christopher Graham, Information Commissioner, ICO
Read full article
Will the GDPR apply to your company?
Any company, no matter the size, will have to comply with the GDPR and collect, store and use personal information more securely. And, just like the big guys, smaller companies will face fines for any violations.
Even if the personal data is just that of your staff and not your customers, you must still follow the GDPR rules or face the consequences.
What are the fines if you do not comply with the GDPR?
If you make no effort and don’t follow the basic principles for processing data, such as consent, or if you ignore individuals’ rights over their data or transfer data to another country, the fines are severe. The ICO could issue a penalty of up to €20 million or 4% of your global annual turnover, whichever is greater.
To demonstrate just how tough those penalties will look under GDPR, under the new rules, TalkTalk’s record £400,000 fine for a customer data breach would now amount to £59 million. To put that in context, TalkTalk’s total revenue in the third quarter of 2016 came to £435 million.
In 2016, 15 out of 20 firms fined by the ICO went bust or declared themselves insolvent, thereby avoiding the fine.
However, under the new rules, the ICO will be way more tenacious in recovering fines. The directors risk being made personally liable for the same amount, even if the company is put into liquidation.
The GDPR provides the following rights for individuals
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
The Pillars of the General Data Protection Regulation
Consent of personal data must be freely given, specific, informed and unambiguous. Consent is not freely given if a person is unable to freely refuse consent without detriment.
Accountability and privacy by default
The GDPR has placed great emphasis o data controllers’ accountability to demonstrate data compliance. They will be required to maintain certain documentation, conduct impact assessment reports for riskier processing and employ data protection practices by default – such as data minimisation.
Notification of a data breach
Data controllers must notify the ICO as quickly as possible, where applicable within 72 hours of the data breach discovery.
This new legislation allows the Data Protection Authorities to impose higher fines – up to 4% of annual worldwide turnover. The maximum fines can be applied for discrepancies related to international data transfers or breach of processing principles, such as conditions for consent. Other violations can be fined up to 2% of annual worldwide turnover.
Role of data processors
Data processors will now have direct obligations to implement technical and organisational measures to ensure data protection; this could include appointing a Data Protection Officer if needed.
This legislation will be applicable in all EU states without the need to implement national legislation. Having a single set of rules will benefit businesses as they will not need to comply with multiple authorities, streamlining the process and saving an estimate of €2.3 billion a year.
Removal of notification requirement
Some data controllers will be glad to hear that the requirement to notify or seek approval from a Data Protection Authority is going to be removed in many circumstances. This decision is made to save funds and time. Instead of notification, the new directive requires data controllers to put in place appropriate practices for large-scale processing in the form of new technology.
Right to be forgotten
This change is one of the most useful changes for the average person managing their data protection risks. A person will be able to require that their data is deleted when there is no legitimate reason for an organisation to retain it. Following this request, the organisation must also take appropriate steps to inform any third party that might have any links or copies of the data and request that they delete it.
This new directive has clearly been created to acknowledge that people produce much more sensitive data than they have ever done before. Managing data on a large scale can be risky for organisations if they do not plan out an appropriate strategy and update their systems to handle the influx. This kind of negligence can lead to data breaches or leaks, which is unacceptable for modern businesses. The new GDPR will go some way to resolving this problem. If we can help you to prepare for it, please get in touch via our contact form.
Need some advice from our GDPR team?
Fill out the form and we’ll get straight back to you