What is GDPR ?
GDPR is the General Data Protection Regulation, which comes into force, i.e. UK law, on 28th May 2018.
It will replace the Data Protection Act of 1998, and is basically intended to harmonise the protection of individuals’ privacy rights across Europe. (Yes I know we are Brexiting, but as it comes into UK legislation before Brexit it will apply 100% to us. And in order to trade with the EU post-Brexit we will need to have data protection laws in place which are in line with those within the EU.)
In short, it is intended to protect the privacy of individuals by regulating how their personal data is stored and used by organisations. It will hopefully prevent, or at least mitigate the damage of, such major security breaches as Talk Talk or Equifax by limiting the amount and scope of personal data which is stored, and regulating it’s usage and movement between organisations.
Important – Note that this just applies to individuals, known as ‘Natural Persons’ or ‘Living Individuals’, so that is you and me, not other legal entities such as companies.
Why haven’t I heard of it?
Well, it’s been coming a long time, and the Internet, business publications, and my Inbox(!), have been full of it for a while. But don’t feel bad – in a straw poll recently over 50% of our customers were not aware of it. Certainly now is the time to get up to speed.
What does it mean to you as an organisation?
There are two key definitions in the regulations, Data Controller and Data Processor. Very briefly, if you are storing or processing individuals’ personal data – name, address, phone number, date of birth etc, then you must comply with the regulation.
Key to this is identifying a justification for storing the data in the first place. These will typically be because the individual has given specific consent, e.g. signed up to a newsletter; or you need the data to complete a contractual obligation, e.g. your electricity company needs certain data in order to be able to supply you; or for legal purposes, e.g. Payroll records.
But how long ago did the individual give their consent to receive the newsletter? And was it just for one newsletter, or do you take the opportunity to send other marketing material as well? How long after you switch electricity providers can they justify retaining your information? You need to keep statutory HMRC information, but do you really need to retain other HR records for ex-employees?
Fortunately much of the regulation is common sense and it is easy to see how the rules apply, but this is serious legislation, you must be aware of it within your organisation, and take action before May 2018.
One of the key headlines you will see is about the penalties applicable for breaching the regulations, these are up to €20m or 4% or annual global turnover. Of course these are going to be limited to the worst breaches like the big companies mentioned above, and will depend not just on the severity of the breach but also on the quality of the processes that the organisation had in place prior to the breach. But sadly as always it is anticipated that there will be a lot of ‘ambulance chasers’, so in a similar way to PPI we expect lots of ‘no win no fee’ claims regarding breaches of the new regulations.
So isn’t this just an IT problem?
Well yes and no. It is certainly aimed at the huge amount of data that is stored within IT systems, but like the other current hot topic which is PCI DSS regulation which covers the storage and transmission of payment card data, it very much relates to the internal processes within an organisation as much as the mechanics of how the data is stored.
We can help with things like Data Encryption, Security Patching (both the Equifax breach and the famous NHS WannaCry attack were traced to out of date software in key roles), and with Firewalls and Network Security. Contact us anytime for free advice and recommendations regarding your systems.
But you also need the right internal procedures, checks and culture to make sure that you don’t fall foul of this new and far reaching legislation.