In the first of a new series of articles, Alex Bailey asks: Are you ready for the GDPR?
You may well be asking yourself, "What is GDPR?", in which case the answer to the above question is a resounding "No" !
However over the next 12 months you are going to hear those 4 letters repeated over and over again because on 25th May 2018, the EU's General Data Protection Regulation becomes UK law, regardless of the Brexit situation.
The Information Commissioners Office says this is going to be the biggest change to data protection law for a generation when it replaces the now antiquated Data Protection Act 1998. But if you were unfamiliar with GDPR until now, you are certainly not alone. According to the Business Continuity Institute, 84% of UK small business owners and 43% of senior executives of large companies are unaware of the forthcoming GDPR.
From May next year, the scope for the definition of 'personal data' becomes a lot wider to cover any information that can be used to identify an individual 'natural person' (ie a human being, as opposed to a business corporation, public body or NGO etc.), whether directly or indirectly. That might include less obvious details such as a photo or CCTV recording, an IP address or a mobile phone number. All individuals must give specific and unambiguous consent for their data to be retained. They must be told in plain language what information is being held, for what reason and for how long. The onus will very much be on the data processing organisation to prove they were given explicit consent. Data collected must be necessary, minimal for purpose, fairly and lawfully obtained. There will be new rights for individuals to request disclosure of their data and insist on deletion or transfer to a new service provider. So consideration must be given to how data can be available in a portable format.
Unlike the outgoing Data Protection Act 1998, which is based on opt-in registration, all organisations will be required to show compliance with GDPR and there will be tough penalties for those that do not. The maximum fine for breaking the law will rise from £500k to 20m Euros or 4% of annual turnover, which ever is the greater. Security and privacy must be built into all systems by design. There will be a mandatory requirement that any security breaches are notified to the ICO within 72 hours of discovery. Organizations of more than 250 staff or those carrying out certain bulk data operations will have to appoint a dedicated Data Protection Officer at a senior management level. All other organisations should make sure this role is part of board-level management responsibility.
he GDPR says that data controllers and processors need to:
- implement pseudonymisation and encryption of personal data;
- ensure the confidentiality, integrity availability and resilience of systems;
- have the ability to restore the availability and access to data in a timely manner in the event of a physical or technical incident;
- operate procedures for regularly testing the technical and organisational measures for ensuring the security of the data processing.
This implies that well-designed and tested backup and disaster-recovery processes need to be in place. All businesses and their technical management partners must know where all the data is at all times. When data backups are made and stored, these processes and locations must be documented and secured. When staff access, use and copy data, they must be aware of their responsibilities. When data is saved on local PC hard drives or removable media, that also needs to be managed and traceable.
- Data protection reform
- Preparing for GDPR in 12 steps
- GDPR Self-assessment Toolkit
- Getting Ready for GDPR Checklist
To read the full text of the official GDPR document: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (General Data Protection Regulation)