Save the date. On 25 May 2018, the long-awaited EU General Data Protection Regulation (GDPR) will come into force!
In recent weeks, I’ve presented GDPR awareness for a variety of audiences ranging from local business forums to security professionals at an ASIS International security seminar, and one thing is clear – many firms aren’t up to speed with what the EU GDPR means for their organisation, or how to prepare for it.
In response to the head-scratching and consternation I’ve witnessed in recent weeks, I’ve set out to explain the core principles of the new regulation in a three-part blog series. The aim is to break the topic up into three bite-sized pieces and for this first blog, the best place to start is simply with awareness.
“So, what does the GDPR have to do with us?”
That’s the question that has resonated in boardrooms across the UK over the last 18 months with increasing intensity. The answer is quite a lot – if your business is holding Personally Identifiable Information (PII), as many do. New, smart technologies have resulted in a proliferation of data in businesses of all sizes, which has meant current data protection laws required a little tweaking. In simple terms, the GDPR is an updated version of the Data Protection Act (DPA) and aims to ensure the security and protection of PII. If your company stores personal data, then GDPR applies to you.
Preparing for GDPR
If you haven’t begun preparations, or if you are unsure how the regulation may affect your business, now is the time to start reviewing your data protection processes. Failure to comply with the new regulations could result in large fines, such as €20m, or 4% of a company’s annual turnover, whichever is greater. The reputational damage of non-compliance could also be catastrophic. Many of the DPA’s core principles still apply, such as what data a business holds and where it came from. The key differences will come from issues such as:
- Accountability – While under the original laws the responsibility for a breach sat primarily with the controller, under the new legislation this now sits with the controllers and processors. Firms must therefore begin looking beyond their four walls to ensure complete protection. For example, is a company’s suppliers also ensuring the technology or service they provide is adequately secured?
- Consent – Some organisations may have become complacent regarding consent under the Data Protection Act, utilising personal data in a way that wasn’t originally intended when the data was first collected. It is vital businesses ask themselves:
- Has the original purpose for having the data changed?
- Are there any secondary reasons for data use that have arisen since the original purpose?
- Has the data been shared with third parties since it was initially obtained
- Territorial scope – The GDPR doesn’t only apply to those trading within the EU. International trading also applies if the data relates to an EU citizen residing in any member state. Furthermore, the regulations will still apply in the UK, despite Brexit.
- Privacy notices – There is a requirement for businesses to inform data subjects of their rights and inform them of how their data is being utilised. They must also advise those potentially affected by a data breach within a certain time frame.
If any of the answers to the above questions are yes, the company may be in breach of the GDPR if the data subjects have not been kept informed of the changes in use, or the third parties are not GDPR-compliant.
At NW Security, we can help your business prepare for the EU GDPR. There are severe consequences for non-compliance, but with the correct preparation, the new regulations could become an opportunity for increased security provisions within a business, instead of a regulatory headache.
Find out more about best practice and compliance for your data security.