What Is GDPR, And Are You Ready For It?
As of 25th May 2018, your business will have to be fully compliant with new regulation relating to how you manage and store data. This new tranche of regulation is known as GDPR (General Data Protection Regulation) and is an expansion of existing data protection laws, known in the UK as the Data Protection Act 1998.
Why is this new regulation coming into force? The initiative came from the European Union (EU), which was concerned about the use by (and security of data in) businesses, exactly what data businesses and organisations held on individuals, and whether they had the consent of those individuals to hold data about them. These concerns were brought into the public eye by the rapid transformation of society by citizens’ use of new technology and digital platforms, such as the adoption of social media and e-mail.
The first thing to note is that Britain leaving the EU as a result of the ‘Brexit’ vote will have no impact on the adoption of the new regulation; as mentioned, the regulation comes into effect in May of 2018, and businesses must be fully aware of their obligations under this new legislation.
So what exactly will businesses need to be aware of and need to implement in advance of 25th May 2018? Full information about the regulation and some preliminary guidance is available online from the Information Commissioner’s Office (ICO), but I will summarise the headline issues and actions in the rest of this article.
The good news is that GDPR provides your business or organisation with opportunities to revisit business processes in a way that will yield efficiencies and engage with past contacts and clients. The bad news is that businesses and organisations are up against it if they have yet to consider the implications of GDPR for their work, and they must start to do so now if they are to be ready in time. GDPR is mandatory legislation, and does not provide businesses or organisations the opportunity to opt out. Failure to comply with GDPR, especially in conjunction with a data breach, could result in sizeable fines. In addition, it is businesses and organisations themselves that are held legally accountable (not their employees), so you need to ensure that everyone on the payroll understands the significance of GDPR and their professional obligations under it.
In a broad overview, GDPR can be summarised as having two core themes; the security of data held by an company and organisation, and the rights or permissions of that company and organisation to hold that data. Each is equally as important as the other as far as the legislation is concerned.
In terms of data security, GDPR is primarily concerned with how information on individuals is both stored and accessed, and whether a person who is viewing that information has the individual’s permission and good reason to do so. Given that most information is stored digitally, the prime concern for businesses and organisations will be how information is kept or accessed on digital devices such as laptops, computers and phones, but this also extends to data storage solutions such as USB sticks, CD-ROMs and internet servers. However, GDPR also covers traditional hardcopy records and how they should be kept under lock and key when not being accessed.
The main focus of these security concerns is minimising the risk of data breaches; data incorrectly or illegally accessed or obtained by others due to a business’s or organisation’s carelessness or non-compliant processes. Given that identify fraud can be easily committed with the bare bones of information about any one individual, the legislation is to ensure that the risk to citizens is minimised when they provide their personal details to others for legitimate purposes.
The second, most equally important aspect of GDPR is the justification for a business or organisation to retain information of individuals in the first place. In other words, does that business or organisation have the consent and knowledge of that individual to hold onto information about them, and is the information that they do hold relevant to the organisation and only used in an appropriate manner?
This in turn means that businesses and organisations must audit the information that they currently have on file to ensure that it meets the criteria, and must dispose of information that is no longer valid or justifiable. In addition, it must also look at how it gathers information, how that information is stored and how that information is accessed, specifically in terms of the individuals’ own awareness of how the business or organisation intends to hold, process and store their data.
To tie these two strands together, businesses and organisations must nominate internal stakeholders with regard to data protection, and let the Information Commissioner’s Office know of this point of contact.
As you can gather, GDPR is a huge subject with significant ramifications, but it does provide a spur for businesses to get their houses in order, with eventual profitable outcomes in addition to the required compliance.
The good news is that there is still time to get your business compliant for GDPR. Also, If you’re already following existing data protection legislation, you’re probably in a position to make the few remaining transitionary steps. Diamond Discovery can help you with this and provide software solutions to help you maintain compliance, so do get in touch with me if you want to know more.