GDPR – What you need to know
What is GDPR
The general data protection regulation (GDPR) is creating challenges that requires action from everyone in every sector.
This is the largest change to data protection legislation in the last 20 years, and regulators will have new powers to impose fines and will require massive privacy changes across every organisation. The fines for any breaches could go as high as 20 million euros, and any breach needs to be reported within 72 hours.
Read our basic guide below to give you a short understanding of the things that will effect you. The new law comes in to play in May 2018, you need to have your procedures in place by then. Gaining the Cyber Essentials certification can help mitigate any fines you get from the ICO. It shows that you have carried out basic steps towards protecting your business and its data from cyber attacks.
GDPR – The basics
The individual will be in control of their own data.
Individual people have more power to control what data a company has on them, and how they use it. A company could be asked to report on, move or even delete any personal data, and you need to be able to do this. There are many more restrictions in place around what you can do with personal data.
Data must be portable and forgettable
Individuals personal data must be structured in such a way that you can provide people with their data, should they request it in a readable form. You also need to be able to forget and delete any data when asked by the person involved. This is also true of old legacy archive systems.
How you use data must be clearly explained
The rules are getting stronger about how you gain consent for data, and the subject can withdraw consent at any time. You need to ensure that you let people know all of the ways you are using personal. You also need to be clear on what their data is being used for and who you share any data with.
Be careful of your third party partners
If you pass any other companies personal data of your clients you need to be very careful. You remain responsible, even after you have passed it on, for what happens to it. Companies have to be sure that it is still handled within the guidelines of GDPR even though you have no direct control. You are still at risk if that third party has a breach.
Huge fines could come your way
The fines that could be handed out to you can run into millions of pounds. Currently as of May 2018 a fine for non-compliance could be as severe as 4% of your annual global turnover or €20 million, whichever is the greater! If you do have a data breach, which could just be losing a usb drive, or sending the wrong person an email, you legally, have to inform the ICO and the individuals concerned within 72 hours. All data processing activities have to be documented. Companies have to appoint a Data Protection Officer and undertake privacy impact assessments.