What it means for me?
The General Data Protection Regulations are due to replace the Data Protection Directive in May 2018. The main focus of this law change is to strengthen the way in which personal data is protected in the EU. For all EU Organisations, consideration must be given to how such information is stored. The stated aim of the new Regualtions is to strengthen and unify data protection for all individuals in the European Union.
The regulation was adopted in April 2016 and became part of the wider Data Protection Bill in the UK in September 2017. Since then, a two-year period has been granted for Organisations to be fully compliant. The Regulations aim to protect all EU citizens from data and privacy breaches as data becomes increasingly digital. A number of key changes are evident in the regulation. The changes impact businesses in a number of ways.
When Does GDPR come into effect?
The Regulations will be live from 25th May 2018. Organisations must be able to demonstrate they are compliant with the requirements of the GDPR as of this date. The UK Government has assured this will take place as part of the Data Protection Bill (2017).
Will Brexit have any impact?
Although the UK is leaving the EU, GDPR will still apply. If Organisations must to offer services or products to EU citizens, they will need to be GDPR compliant. The UK Data Protection Bill (2017) incorporates the requirements of GDPR. The Government has confirmed GDPR remain part of UK law even after exiting the EU stating it is “suitable for our new digital age, allowing citizens to better their data.”
What are the consequences?
Organisations who fail to comply can be fined up to £17m (€20m) or up to 4% of global turnover. These are the maximum fines for not following the GDPR. A tiered approach will be in place for fines. These rules apply to Organisations as well as processors – this means ‘clouds’ will also have to be GDPR compliant.
A system that verifies individuals’ ages and obtains parental/guardian consent, for any data processing activity, should be considered.
These conditions have been considerably strengthen by the Regulations. Lengthy and complex “Terms and Conditions” will no longer be accepted, information must be in plain language. A clear and accessible request for data processing will be required of Organisations, and this must differentiate itself from other matters. It must also be easy to withdraw consent.
Under the Regulations, the Data Controller has a legal duty to report data breaches without delay. If a breach occurs, a notification must be made within 72 hours of this being discovered. The notification must be communicated to customers and controllers.
The Regulations allow subjects to confirm with Organisations if personal data is being processed, this includes where and for what purpose. Organisations must provide, free of charge, a copy of the personal data being used in an electronic format to subjects.
Data subjects are within their rights to ask Organisations to erase their personal information. In doing this, a number of conditions must be met such as data not being used for original purposes. This request requires Organisations to compare the subjects right to “the public interest in the availability of the data”. It should be noted, that the Regulations explicitly require the “Right to be Forgotten” to be as easy for a citizen to access as the initial right to share data.
This concept has existed for many years but is only becoming a legal requirement due to the Regulations. Essentially, data protection must be designed into systems rather than being an addition – or more basically, data protection must be a core function of any system. Organisations must hold and access only that data necessary for their duties. Limiting access to the data must be considered, only those who need the information to complete a process should have access.
The electronic storage of data acquired by Organisations must be protected. The GDPR have been noted to be beneficial to the ‘the digital age’ as citizens have more control over their own data. Organisations will need to ask themselves:
GDPR regulations focuses on the digital storage of personal data. As an overall regulation, it will also apply to paper storage. Organisations which hold paper records will need to ensure that personal data held in those records is as secure as if it was held in electronic formats.
All Organisations with any system, paper or electronic will need to identify the purpose and if it is necessary for this business. Organisations will need to be critical about what systems are in place and their importance.
Organisations will need to understand where records with personal information is stored. It is essential these records are only accessible internally through appropriate regulations.
The impact of GDPR will mean all Organisations who hold personal information will need to ensure access is limited. Shared usernames and group accounts should be retired. Some organisations may opt for a role-based approach. This includes a person or department with authoritative access to personal data. In considering this, Organisations should arrange a process for personal data requests to the appointed member or department.
Possibly one of the biggest regulation priorities is how data is accessed. Whether a filing cabinet, a locked storage room or digitally, those who need personal data must be able to access the data quickly. This is purely because of the turnaround necessary for data subjects. In the instance a data subject would like their information removed, Organisations must have a swift process to do so.
Organisations should use the adoption of GDPR as a reason to review their data retention policy. As data handling becomes more rigorous with GDPR, all Organisational members need to have a clear understanding on their requirements. Customers will have more freedom on their data held by Organisations, this may impact the Organisation itself. Organisations are recommended to detail their own data retention policy as to how long they hold personal data for. Data subjects should be informed upon deletion and the reason. Databases are updated regularly and unnecessary personal data is cleansed.
Businesses need to be more conscious of how personal data is handled when GDPR is in action. Organisations must ensure they are aware of where this is data is stored, either digitally or physically and how the data is handled internally by staff. Failure to do so may result in Organisations failing to comply with GDPR once it is legalised. All Organisation members and department heads must understand where data is held and how data should be handled with appropriate procedures.
GDPR give an opportunity for Organisations to perform an audit on systems and current data held. This means Organisations can benefit from a data cleansing before GDPR becomes law. Doing so will allow Organisations to ensure that all personal data held is necessary for a defined purpose.
Security measures required vary depending on the Organisation itself. A focus should be made on the physical security of paper systems, if they are kept. The organisation of paper data will need to be managed and maintained so no loss of data is made.
These regulations need to be clear to internal members. Doing so will ensure those who handle personal data are likely to be more protective over it.
It is advised that CCTV is implemented in areas where personal data of citizens is stored. Organisations can ensure only required members are accessing these areas.
Physical Locking Systems & Access
By having physical copies of data, Organisations must ensure security. Recommendation is made to secure these in an area with limited access.
Organisations may already have security in place to protect themselves from external breaches. This must be taken further to ensure personal data is not tampered with internally. This can be done in a number of ways:
Implementing passwords to access specific data can be made by Organisations. These passwords must be specific to the organisation and strong to avoid easy access.
Notification of Copy
Organisations can implement a notification breach if their personal data is held online. This means a senior member in the organisation would receive a notification if personal data is accessed by someone without the appropriate clearance. The senior team member can then follow up with the employee in question.
Office Only Computers
For Organisations who require large or sensitive personal data, it may be necessary to avoid personal computers being used for work. This means all data is physically internal to the Organisations building.
When Does GDPR Come into Effect?
The GDPR will have to officially integrated across the EU by 25th May 2018. Organisations must be able to demonstrate they are compliant with the requirements of the GDPR as of this date. The UK Government has assured this will take place as part of the Data Protection Bill (2017).
Will Brexit have any impact?
Although the UK is leaving the EU, GDPR will still apply. If Organisations continue to offer services or products to EU citizens, they will need to be GDPR compliant. The UK Data Protection Bill (2017) incorporates the requirements of GDPR. The government has confirmed GDPR will remain part of UK law even after exiting the EU stating it is “suitable for our new digital age, allowing citzens to better control their data.”
What are the consequences?
Organisations who fail to comply can be fined up to £17m (€20m) or 4% of global turnover. These are the maximum fines for not following the GDPR. A tiered approach will be in place for fines. These rules apply to Organisations as well as processors – this means ‘clouds’ will also have to GDPR compliant.
Why Choose Strategic Discourse?
We are a Management Consultancy with a difference. Our Consultants have a deep understanding of the requirements of GDRP, and other data protection regualtions. Our services are diverse, and with no partnerships with technology vendors we retain our impartiality to all solutions. This allows us to work to recommend the best solution for your organisational needs.
Our team have a strong background in the following areas:
- Strategic Consulting
- Operations Consulting
- Technical Consulting
- Marketing & Communications
- Sales Assistance
- Research & Analysis
Our ethos is to work with our customers in a true partnership. Where possible, we will assist your teams in reaching their goals with only minor intervention from ourselves. We will work with your team to ensure any solutions are a good fit to your Organisations needs.
As we are a small organisation, we are able to be respond in a very agile manner to our customers needs. We can quickly react to changes at a customer organisation, or to wide market changes. Our projects and programmes are designed using agile and other techniques which reduce the overall time to delivery and limit the need for long, drawn-out projects and programmes.
Training and support
Implementation of new solutions can be difficult to intergrate. We are able to provide training to the members of your Organisation as a means of ensuring clear understanding. Support can also be provided by our team after implementation for your organisation while members familiarise themselves with the new solutions.
Low cost options
With a company ethos built on protecting precious front-line resources for our customers, we provide our services at a market unmatched cost.
To find out more and to have an initial free consultation with one of our experts, just click one of the the buttons to the right.