On 25th May 2018, the General Data Protection Regulation (GDPR) will come into force. Every organisation carrying out business in the United Kingdom and the EU that holds personal information will be affected. Personal data includes names, addresses, credit card details and even computer IP addresses.
What Does GDPR Mean for UK Organisations?
Although it is European legislation, it will still be introduced in the UK and will remain as legislation when we have left the European Union. The legislation is designed to tighten the use of personal data and requires organisations using the data to ensure they protect it. Failing to do so can result in huge penalties. There are several key points to the legislation:
Consent – When you obtain personal information about people, such as through a web site, you must obtain their explicit consent. The exact wording is:
“Consent under the GDPR requires some form of clear affirmative action. Silence, pre-ticked boxes or inactivity does not constitute consent. Consent must be verifiable. This means that some form of record must be kept of how and when consent was given. Individuals have a right to withdraw consent at any time.”
This may require changes to forms used on web sites and other media to remain within the law.
The Rights of the Individual – Under the GDPR, individuals will have the right to obtain confirmation that their data is being processed. They will also have the right to be given a copy of the data, correct it if required and request that it be erased (known as the right to be forgotten).
It is therefore important that all the data held by organisations is well maintained to enable requests to be promptly dealt with.
Data Protection and Accountability – When you hold data, you will have an obligation to implement technical and organisational measures to show you have considered and integrated data protection into your processing activities.
In addition to ensuring your processing of data offers protection, the technical aspects of security can include data encryption, firewalls to protect networks and anti-malware software. Vantage IT can provide the assistance you require to protect your data. Data encryption is suggested as one of the methods to ensure compliance.
Organisations will be required to demonstrate that they comply with the principles of the GDPR and will need to show how they comply. For example, by documenting the decisions taken about a processing activity.
Breaching the GDPR – All organisations will have a duty to report certain types of data breach to the supervisory authority and in some cases to the individuals affected. If data is encrypted, there may be instances where breaches do not need to be notified.
The penalties being introduced really are punitive and could result in fines of up to £17m (€20m) or 4% of global turnover.
There is also the potential for people who have been victims of data breaches suing for damages, multiplying the potential costs an organisation could face.
What You Should Do
There are a number of tasks that need to be carried out to ensure you are compliant with GDPR.
- Appoint someone as the data protection officer. Make it their job to implement GDPR and confirm that your organisation complies.
- Draw up a policy that stipulates how you handle data and how you protect it.
- Implement measures to keep data safe. This includes encryption, secure storage, protection for IT networks and user education. Data needs to be protected in any form – emailing, file sharing, storing and voice calls.
- Train all your staff about the importance of data security and the consequences of losing data.
Where to Start
The Information Commissioner’s Office (ICO) has provided resources to explain what tasks you need to carry out to be GDPR ready.
A twelve step checklist has been produced and can be downloaded here. There is also the Data Protection Self-Assessment Toolkit which will help you assess your compliance and find out what is required.
Help from Vantage IT
Vantage IT can help with many elements that will be impacted by the GDPR, these include:
- Data encryption to protect data
- Firewalls to prevent unauthorised external access to your networks
- Anti-malware software to limit the possibility of malware stealing your data
- Introduce IT policies to inform staff about the protection of data
- Enforce IT network-wide rules to increase the complexity of passwords and limit the use of flash drives where data can be easily removed and lost
Please contact us to find out how Vantage IT can assist with getting your organisation GDPR ready.
This information is our understanding of the legislation at the time of writing and Vantage IT will not be liable for any errors or omissions.