GDPR – Are you compliant yet?The deadline has long passed for you to be GDPR compliant. Still unsure? Let us help.
UK study has found that organisations of all sizes are still not compliant with the regulation
During the Queens speech the UKs’ Data Protection Bill was announced. The bill is set to ensure that the UK “Retains its world-class regime protecting personal data”. The data protection bill will replace the current Data Protection Act 1998 and will incorporate the GDPR into UK Law.
So what is it?
GDPR stands for General Data Protection Regulation its main aim is to update the existing data protection directive.
GDPR is designed to protect against breaches of personal data.
The maximum fine for serious infringements is 20 million euros or 4% of global turnover. (whichever is greater). Less serious issues, such as failure to notify about a breach of data carries a 2% of turnover fine.
Confused by the GDPR Assessment? - Contact us for FREE advice on how to get startedFine - 20 Million Euro fine or 4% of Turnover (for each instance
Brief GDPR background
The GDPR strengthens the rights of individuals in the European Union (EU) to control their personal data and requires organisations to bolster their privacy and data protection measures. The regulation imposes new organisational requirements, which can include appointing a Data Protection Officer (DPO), carrying out Data Protection Impact Assessments (DPIAs), and protecting personal data by design and default. Data subjects will have significantly enhanced rights, such as to access and receive a copy of their personal data, as well as to have it erased. Notably, organisations who violate the GDPR could face fines up to the greater of €20 million or 4% of annual global turnover (revenue), whichever is greater. The regulation was approved 27 April 2016 and enforcement begins 25 May 2018. Be ready.
Discover: Identify what personal data you have and where it resides
The first step towards GDPR compliance is to assess whether the GDPR applies to your organisation, and, if so, to what extent. This analysis starts with understanding what data you have and where it resides.
Does the GDPR apply to my data?
The GDPR regulates the collection, storage, use, and sharing of “personal data.” Personal data is defined very broadly under the GDPR as any data that relates to an identified or identifiable natural person.
If your organisation has such data—in customer databases, in feedback forms filled out by your customers, in email content, in photos, in CCTV footage, in loyalty program records, in HR databases, or anywhere else—or wishes to collect it, and if the data belongs or relates to EU residents, then you need to comply with the GDPR. Note that personal data doesn’t need to be stored in the EU to be subject to the GDPR—the GDPR applies to data collected, processed, or stored outside the EU if the data is tied to EU residents.
Building your inventory
To understand whether the GDPR does apply to your organisation and, if it does, what obligations it imposes, it is important to inventory your organisation’s data. This will help you to understand what data is personal data, and to identify the systems where that data is collected and stored, understand why it was collected, how it is processed and shared, and how long it is retained.
Manage: Govern how personal data is used and accessed
The GDPR provides data subjects—individuals to whom data relates—with more control of how their personal data is captured and used. Data subjects can, for example, request that your organisation provides information on the processing of data that relates to them, transfer their data to other services, correct mistakes in their data, or restrict certain data from further processing in certain cases. In some cases, these requests must be addressed within fixed time periods.
Compliance - In Summary
Consumers have a legal right to access the data has collected about them.
Consumers have the right to ask to be removed from data lists.
Organisations need to provide details of how they are using and where they are storing consumer data.
Organisations need to notify both the individual and the Supervisory Authority of any data breaches. Notification must be sent within 72 hours.
Consumers have the right to ask the company to transfer their data to another party.
Companies must have a Disaster Recovery plan in place and that it must be tested regularly.
Consumers have the right to ask for their data to be deleted.
Companies must safe guard their data.
Data must be encrypted, ensure confidentiality, integrity and availability.
Access controls must be in place. Staff and Vendors should only have access to data that is required for their job.
Computer Rescue is both IASME and Cyber Essentials Certified a programme of security assurance, which aims to help organisations implement protection against cyber attack, demonstrating to their customers that they take cyber security seriously. Information Assurance for Small to Medium-sized Enterprises (IASME) is designed as a security benchmark for the SME.
Computer Rescue can help your company to achieve the Cyber Essentials Certification, ensuring that your organisation meets with all of the requirements. Talk to us today about how we can help you to secure your companies IT networks.