The General Data Protection Regulation (GDPR) is now in place and set to be the most important change in data privacy regulation in over 20 years. It is imperative that you start preparing for this change – those in non-compliance could face heavy fines.
Take a look through the GDPR resources below to support, educate and start you on your journey to GDPR compliance!
With preparation time quickly diminishing, businesses must:
GDPR is the new future-proofed European legal framework for the protection of personal data. It has been designed to deliver an improved framework for the rights of individuals and how their data is handled, stored and processed.
This new legal framework is an expansion of existing principles, but there are some important updates and enhancements, such as the ‘Right to be forgotten’, the ‘ Right to data portability ’ and ‘Breach notification standards ’. This page will delve into some of these key points in further detail.
Paper documents can lead a double or triple life – Do you know how many copies of your documents exist? Human handling of documents can result in a complete lack of document control and exposes organisations to data breaches. While physical copies of documents exist, they can be easily copied and stolen, with evidence trails hard to follow.
Can your documents be kept private? – Privacy is stressed in the GDPR and it is far easier to maintain when paperwork isn’t involved. Paper documents can easily get into the wrong hands, which could easily become a data breach.
Can you easily find all the information you need? – If you can’t find all the information held on an individual, how can you comply with GDPR? Do you know where it is? Is it all in the same place? Is it kept externally or internally in the building? Are you confident you’ve got it all? Searching and retrieving paper files is a time consuming and costly exercise.
Can you accurately manage retention periods? – Organisations regularly make printed copies of digital files. If a digital file is destroyed and a paper version still exists somewhere, compliance with the GDPR is potentially affected.
Privacy by design: Promote privacy and data protection from the start – don’t ‘bolt’ it on as an after-thought or ignore it altogether. Show strong compliance by evidencing all communications and involvement that you have had with a client as well as controlling who has access to what data.
Accountability & data breach reporting : A personal data breach is not simply the loss of data but a breach of security, resulting in destruction, loss, alteration, unauthorised disclosure of or access to personal data. As a data controller, you must inform the relevant supervisory authority, as well as affected individuals within 72 hours of learning of a personal data breach. As a data processor, we will notify our clients immediately upon identification of such an instance.
The right of access – data handling and processing: Both current and legacy customers are able to request access to the data you hold on them. How will you comply if you are faced with this request – do you know what information you hold and where it is stored? Could you fulfil within one month?
Data quality and accuracy: It is unacceptable under GDPR to hold inaccurate and irrelevant information. Consider what information you hold and whether it is absolutely necessary. If it isn’t, simply delete it. All relevant information needs to be kept accurate as far as it is reasonable.
Data portability and the right to be forgotten: The right to data portability allows individuals to move, copy or transfer personal data easily and securely from one IT environment to another. If an individual wished to leave for a competitor, their data would need to be made freely available to the new firm without undue delay (within one month). The right to be forgotten enables an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
Only contact individuals who have expressively granted consent to do so: Customers must grant permission before you use their data – they must also know what it will be used for – the right to be informed. Be clear and precise about your intentions.
Fundamentally, you need to break things down into bite-size chucks and not get overwhelmed. Understanding GDPR may appear daunting and complicated, but it needn’t be – preparation is the key:
Failure to comply, could lead to a fine of up to 4% of your organisation’s global annual turnover and your company’s reputation damaged beyond repair. Reduce the risk and start preparing today!
(Sources: The Information Commissioner’s Office, Infosecurity Magazine – GDPR: One Year and Counting)