GDPR – Are you compliant yet?The deadline has long passed for you to be GDPR compliant. Still unsure? Let us help.
UK study has found that organisations of all sizes are still not compliant with the regulation
Back in 2018 a new directive for data privacy was launched – GDPR – General Data Protection Regulation. At the heart of this directive are the improved regulations surrounding keeping personal data safe and of course, increased fines for non-compliance
The maximum fine for serious infringements is 20 million euros or 4% of global turnover. (whichever is greater). Less serious issues, such as failure to notify about a breach of data carries a 2% of turnover fine.
GDPR now also enforces the requirement to inform the ICO (Information Commissioners Office) if a data breach occurs within 72 hours of becoming aware of it.
Unsure about GDPR? Our 7 Day GDPR Tips & Compliance Email Series explains all you need to know
Discover: Identify what personal data you have and where it resides
The first step towards GDPR compliance is to assess whether the GDPR applies to your organisation, and, if so, to what extent. This analysis starts with understanding what data you have and where it resides.
Does the GDPR apply to my data?
The GDPR regulates the collection, storage, use, and sharing of “personal data.” Personal data is defined very broadly under the GDPR as any data that relates to an identified or identifiable natural person.
If your organisation has such data—in customer databases, in feedback forms filled out by your customers, in email content, in photos, in CCTV footage, in loyalty program records, in HR databases, or anywhere else—or wishes to collect it, and if the data belongs or relates to EU residents, then you need to comply with the GDPR. Note that personal data doesn’t need to be stored in the EU to be subject to the GDPR—the GDPR applies to data collected, processed, or stored outside the EU if the data is tied to EU residents.
Building your inventory
To understand whether the GDPR does apply to your organisation and, if it does, what obligations it imposes, it is important to inventory your organisation’s data. This will help you to understand what data is personal data, and to identify the systems where that data is collected and stored, understand why it was collected, how it is processed and shared, and how long it is retained.
Manage: Govern how personal data is used and accessed
The GDPR provides data subjects—individuals to whom data relates—with more control of how their personal data is captured and used. Data subjects can, for example, request that your organisation provides information on the processing of data that relates to them, transfer their data to other services, correct mistakes in their data, or restrict certain data from further processing in certain cases. In some cases, these requests must be addressed within fixed time periods.
Compliance - In Summary
Consumers have a legal right to access the data has collected about them.
Consumers have the right to ask to be removed from data lists.
Organisations need to provide details of how they are using and where they are storing consumer data.
Organisations need to notify both the individual and the Supervisory Authority of any data breaches. Notification must be sent within 72 hours.
Consumers have the right to ask the company to transfer their data to another party.
Companies must have a Disaster Recovery plan in place and that it must be tested regularly.
Consumers have the right to ask for their data to be deleted.
Companies must safe guard their data.
Data must be encrypted, ensure confidentiality, integrity and availability.
Access controls must be in place. Staff and Vendors should only have access to data that is required for their job.
Computer Rescue is both IASME and Cyber Essentials Certified a programme of security assurance, which aims to help organisations implement protection against cyber attack, demonstrating to their customers that they take cyber security seriously. Information Assurance for Small to Medium-sized Enterprises (IASME) is designed as a security benchmark for the SME.
Computer Rescue can help your company to achieve the Cyber Essentials Certification, ensuring that your organisation meets with all of the requirements. Talk to us today about how we can help you to secure your companies IT networks.