We first started to hear whispers of GDPR early last year, and since then those whispers have got louder and louder so that now it seems like that is all anyone is talking about in the IT industry. A lot of rumours seems to be flying about concerning what is and isn’t going to happen when GDPR comes into effect. We thought we would put a blog post together of what we know so far. Everything is subject to change, but this is what we have been told.
What is GDPR?
GDPR is the EU General Data Protection Regulation. It will come into effect on Friday 25thMay 2018 and will replace the Data Protection Directive 95/46/EC. GDPR is legislation that has been designed to harmonise data protection laws across Europe to protect and empower data privacy and redefine the way organisations approach the security of their customer data. Organisations that do not comply with this new legislation will face fines of up to 4% of their global turnover or €20 million.
Will GDPR happen despite Brexit?
Even though the UK will be leaving the EU it is very unlikely that we will not have to comply with the GDPR legislation. The UK was a key contributor in creating GDPR and will more than likely include GDPR in post-Brexit law to replace the UK Data Protection Act.
Does GDPR apply to you?
The new legislation is applicable to all businesses in the UK. While there will be some concessions to small and micro businesses in relation to record keeping, it is said to be applicable to all organisations involved in economic activities in which personal data is processed.
What’s the difference between GDPR and the Data Protection Directive?
The Data Protection Directive is centred around data privacy, with the new legislation in place there will be more conditions in terms of consent for data usage. Furthermore, GDPR introduces penalties for non-compliance.
What are the key aspects of GDPR?
GDPR is all about your data and how you hold it. The changes will mean that if you experience a data breach, whether that’s through a member of staff or a ransomware attack, you will need to inform all data subjects that their information has been compromised.
It will also bring in the right to be forgotten. An individual can now ask to be completely removed from your organisation’s data. That’s not just taking them off a database it’s where none of their data such as their email addresses etc. are held by any of your staff in other areas such as their notes and files and folders.
You will also have to make sure that your data is accurate and up to date, as well as relevant and limited to what is necessary. If you don’t need to hold that piece of information, then you shouldn’t.
These are just some of the changes that are going to come into play. The key to GDPR is that your data must be processed lawfully, fairly and transparently and you can only collect it for explicit and legitimate purposes.
The most important aspect of GDPR is that personal data must be processed in a manner that ensures that it is secure. In this case, if you experience a cyber-attack then you should have all the precautions in place to prevent that from happening and protect your data. While perfect security is difficult to achieve, the failure to try is now unacceptable.
What should I do?
You need to learn more about how these changes to the law will affect your operations and what you need to do to be compliant. If you risk a data breach then the likelihood is that your organisation will be subject to crippling fines.
GDPR and what it consists of is still under review and aspects of this are open to change. If you are at all concerned about GDPR then please give ACUTEC a call to see how we can help you to protect your data.