GDPR – should you ignore it? GDPR is the new legislation that came into force on May 25th, 2018 and has replaced the Data Protection Act.
The purpose of the GDPR is to standardise data protection laws across Europe and to protect data within current technology such as the cloud.
The GDPR is overseen by the Information Commissioners Office (ICO) who is the Supervisory Authority. This is not any different from the Data Protection Act.
To comply with the GDPR, the follow questions need to be answered:
• Do you need to hold this data?
• If you need to hold it, how long for?
• Who has access to this data?
• Does it leave the EU?
• Do you have consent to hold this data?
What is data?
Data is any information you hold about a “Natural Person”. This definition applies to a living individual. In general, the GDPR does not apply to anyone deceased.
What is data in relation to your business?
Any data your business holds on:
• Employees
• Suppliers
• Contractors
• Landlord
• Clients
• Mailing Recipients
What format of data is covered?
ALL DATA no matter if on a computer, USB drive, paper, mobile phone etc.
Key differences between the Data Protection Act and GDPR are:
• Self-Report – If you have a data breach, you must report yourself to the ICO within 72 hours
• Fines have now increased to up to 4% of annual turnover or €20 million (whichever is the higher value)
• A data subject request has to be answered within 1 month (reduced from 40 days) and you can no longer charge a fee
Whilst the GDPR does not stipulate specific examples of how to protect your data, it will be your actions prior to a data breach that will stipulate the severity of fines levied by the ICO. The procedures and protection you put in place now will help mitigate future actions.
What is a data breach?
A data breach is the loss, unintended deletion or unauthorised access of data. Typically, this could be:
• A laptop left on a train
• Data theft by an employee
• A computer crashing with the permanent loss of Client data
As a business and employer who have responsibilities to protect the data used by your company. These can be listed as:
• Physical Protection
• Digital Protection
• Procedural / Policy
Physical Protection
To comply with physical protection of your data, you should look the basics first, such as locking your office, password protecting your computer, alarm systems and CCTV. Being able to prove you have good physical protection place will provide a good defence in the event of data loss.
Digital Protection
Whilst we all complain about passwords, setting a good password for your computer is half the battle. Particularly sensitive documents should also be password protected. We suggest using a random password generator and a password digital vault. Both of these options are free. Hard drive and USB encryption are also essential. Encrypting your hard drive, NAS, USB pen, laptop will prevent anyone from gaining access to your data in the event of theft or loss.
Procedural / Policy
Hierarchical staff access, Privacy statements, and deleting data when it is no longer required are some of the easiest forms of protection. Ensuring the correct staff have access only to relevant data and ensuring an adequate privacy policy is in place will again provide an excellent defence.
While it may be true that GDPR is yet another piece of growing legislation for businesses to observe, remember that as consumers we also expect our own data to be safe. Investing a little time and effort on GDPR now, will help in the long run.
GDPR – should you ignore it?
Do so at your peril!