General Data Protection Regulation (GDPR)

On 25th May 2018, the General Data Protection Regulation (GDPR) will come into force. The GDPR replaces the Data Protection Act (DPA) and sets out what is required to keep individuals’ data secure. Although it is European legislation, it will still be introduced in the UK and will remain as legislation when we have left the European Union.

The legislation is designed to tighten the use of personal data and requires organisations using the data to ensure they protect it. Failing to do so can result in huge penalties.

In-depth details about the GDPR can be found on the Information Commissioner’s Office web site. This is being updated monthly to provide guidance on what will be required. Please find below a brief explanation of several aspects of the GDPR about which all organisations will need to be aware.
 

Consent

When you obtain personal information about people, such as through a web site, you must obtain their explicit consent. The exact wording is:

    “Consent under the GDPR requires some form of clear affirmative action. Silence, pre-ticked boxes or inactivity does not constitute consent. Consent must be verifiable. This means that some form of record must be kept of how and when consent was given. Individuals have a right to withdraw consent at any time.”

This may require changes to forms used on web sites and other media to remain within the law.
 

The Rights of the Individual

Under the GDPR, individuals will have the right to obtain confirmation that their data is being processed. They will also have the right to be given a copy of the data, correct it if required and request that it be erased.
 
It is therefore important that all the data held by organisations is well maintained to enable requests to be promptly dealt with.
 

Data Protection and Accountability

When you hold data, you will have an obligation to implement technical and organisational measures to show you have considered and integrated data protection into your processing activities.
 
In addition to ensuring your processing of data offers protection, the technical aspects of security can include data encryption, firewalls to protect networks and anti-malware software. Vantage IT can provide the assistance you require to protect your data.
 
Organisations will be required to demonstrate that they comply with the principles of the GDPR and will need to show how they comply. For example, by documenting the decisions taken about a processing activity.
 

Breaching the GDRP

All organisations will have a duty to report certain types of data breach to the supervisory authority and in some cases to the individuals affected.
 
The penalties being introduced really are punitive and could result in fines of up to 10 million Euros or 2 per cent of the organisation’s global turnover.
 

Summary

The General Data Protection Regulation will be introduced on 25th May 2018 and will affect all organisations that hold personal data. The potential fines have been made deliberately large to encourage a greater respect for the handling of personal data.
 
There will be a requirement for people to opt-in to marketing rather than opt-out, so processes employed by organisations will have to be updated.
 
Crucially, data will have to be securely held without the risk of it getting mislaid, carelessly discarded, or stolen.
 
With introduction into UK law about a year away, time is limited. Planning needs to start to ensure the GDPR can be successfully introduced at your organisation and in good time.
 
Vantage IT can help with many elements that will be impacted by the GDRP, these include:

  • Data encryption to protect data
  • Firewalls to prevent unauthorised external access to your networks
  • Anti-malware software to limit the possibility of malware stealing your data
  • Introduce IT policies to increase the complexity of passwords and ensure they are changed on a regular basis
  • Enforce IT network wide rules to limit the use of flash drives where data can be easily removed and lost

Please contact us to find out how Vantage IT can assist with getting your organisation GDPR ready.
 
This information is our understanding of the legislation at the time of writing and Vantage will not be liable for any errors or omissions.