The General Data Protection Regulation (GDPR) came into force in May 2018 as EU legislation and was also enshrined in UK law. This effects every organisation carrying out business in the United Kingdom that holds personal information. Personal data includes names, addresses, credit card details and even computer IP addresses.
What Does GDPR Mean for UK Organisations?
The UK GDPR legislation has tightened the use of personal data and consequently requires organisations to protect the data they use. Failing to do so can result in huge penalties. There are several key points to the legislation:
When you acquire personal information about people, such as through a web site, you must obtain their explicit consent. The exact wording is:
“Consent under the GDPR requires some form of clear affirmative action. Silence, pre-ticked boxes or inactivity does not constitute consent. Consent must be verifiable. This means that some form of record must be kept of how and when consent was given. Individuals have a right to withdraw consent at any time.”
This may require changes to forms used on web sites and other media to remain within the law.
The Rights of the Individual
Under GDPR, individuals have the right to obtain confirmation their data is being processed. They also have the right to be given a copy of the data, correct it if required and request that it be erased (known as the right to be forgotten).
Requests from individuals need to be promptly dealt with. It is important all data held by organisations is therefore well maintained.
Data Protection and Accountability
When data is held, you have an obligation to implement technical and organisational measures to show you have considered and integrated data protection into your processing activities.
In addition to ensuring your processing of data offers protection, the technical aspects of security can include data encryption, firewalls to protect networks and anti-malware software. Vantage IT can provide the assistance you require to protect your data. One of the methods suggested to ensure compliance is data encryption.
Organisations are required to demonstrate they comply with the principles of UK GDPR and need to show how they fulfil the requirements. For example, by documenting the decisions taken about a processing activity.
Breaching the GDPR
All organisations have a duty to report certain types of data breach to the supervisory authority and in some cases to the individuals affected. With encrypted data, there may be instances where breaches do not need to be notified.
Your organisation can be subject to huge penalties that really are punitive. It can result in fines of up to £17m (€20m) or 4% of global turnover, whichever is larger.
There is also the potential for people who have been victims of data breaches suing for damages, multiplying the potential costs an organisation could face.
What You Should Do
To get UK GDPR compliant, there are a number of tasks that need to be carried out. These include:
- Appoint someone as the data protection officer. As a result it will be their job to implement GDPR and confirm that your organisation complies.
- Draw up a policy that stipulates how you handle data and how you protect it.
- Implement measures to keep data safe. This includes encryption, secure storage, protection for IT networks and user education. Data should be protected in any form it is transmitted or stored. This can be emailing, file sharing, storing, voice calls and CCTV.
- Train all your staff about the importance of data security and consequently, the dangers of losing data.
Where to Start
The Information Commissioner’s Office (ICO) has provided resources to explain what tasks you need to carry out.
A Guide to the UK General Data Protection Regulation (UK GDPR) can be found on the ICO website. This includes a data protection self assessment to understand your compliance with data protection law and find out what you need to do to make sure you are keeping people’s personal data secure
Help from Vantage IT
Vantage IT provides assistance with the many elements impacted by GDPR. We will help with the following:
- Data encryption to protect data
- Firewalls to prevent unauthorised external access to your networks
- Anti-malware software to limit the possibility of malware stealing your data
- Introduce IT policies to inform staff about the protection of data
- Enforce IT network-wide rules to increase the complexity of passwords and limit the use of flash drives where data can be easily removed and lost
Please contact us to find out how Vantage IT can assist with getting you GDPR ready and therefore protect you organisation.
This information is our understanding of the legislation at the time of writing. Vantage IT will not be liable for any errors or omissions.