The EU’s General Data Protection Regulation (GDPR) is new legislation due to be brought into law across Europe on 25th May 2018. The law applies to all businesses of all sizes in every industry and sector.
The purpose of the new legislation is to bring data protection laws up to date and into line with the way our personal data is now held and processed.
Existing data protection laws were enacted prior to the mass providing, processing and sharing of personal and other data, and as such do not account for the data that is now held online and shared between companies. The EU wants people to have more control over the personal data held on them and simplify the law across EU States.
GDPR could be very significant for your business. It is described on the Information Commissioner’s Office website as “the biggest change to data protection law for a generation”.
If you hold and/or process any personal data of any kind, then you must abide by the legislation. The legislation supersedes the existing Data Protection Act 1998 and will apply to UK companies even though the UK is in the process of leaving the EU.
Not only does the legislation tighten up the rules considerably compared to the Data Protection Act but the fines associated with non-compliance and failure to notify any breaches will dwarf those businesses currently face.
If you fail to follow the basic principles set out in the legislation the data protection authority in the UK – the Information Commissioner’s Office (ICO) – could issue a penalty of up to €20 million or 4% of your global annual turnover, whichever is greater. Should you fail to report a data security breach to both the effected parties and the ICO then the fines can be up to 2% of your annual worldwide revenue, or €10 million, whichever is higher.
To put these numbers into perspective, TalkTalk’s 2015 data security breach which resulted in a £400,000 fine would, under GDPR legislation, have resulted in a £59 million pound penalty.
In order to prepare for the legislation, you must know what data you hold, why you hold it, where it is held, what you do with it and how it is protected. If the data you hold is no longer needed or used for the purpose you initially collected it, then you must delete it.
In order to comply with the legislation as an ongoing activity you must look at the way you collect data, why you collect the data and how you use it. There must be explicit consent from the individual to collect the data in the first place and once you have stored the data you must then ensure there are robust processes in place as to how you deal with it – including deleting once the intended purpose has been satisfied.
As a company, you need to understand your current position, identify where the gaps are, prioritise and make plans for addressing the gaps and then implement the required changes to ensure compliance. After this point you need to ensure as part of your day-to-day processes and procedures that you continue to work within the legislation and are able identify and act upon any breaches should they occur.
There is literature all over the internet about how to prepare for the introduction of the GDPR legislation, including workflows and the various measures you can take as a business to prepare. There is a “12 steps to take now” document on the Information Commissioner’s website that outlines a path for readiness and details as to what each step means.
If you are looking for support to navigate your way through the process, then Fortis Greene can help. We can help you with assessments of your existing estate, process, data held and then work with you through the journey of becoming and staying compliant.
Your IT systems and the data you hold on these are a crucial element of ensuring compliance. We can look at how well protected your systems are, the threat of cyber-attack and other potential data breaches.