GDPR will be here soon. For your business, it means more than simply tightening your security. It’s about vigilantly identifying what personal information you have stored and making sure that you have sufficient process in place to protect it, and to detect if there’s been a network breach. Most importantly, if there is a breach, one needs to know what your responsibilities are with regard to notifying those whose data is under threat.
The common questions about GDPR;
Q1) What is GDPR?
The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonise data privacy laws across Europe. The aim is to protect data privacy and empower all EU citizens, and to reshape the way organisations across the region approach data privacy. One of the largest differences is the potential size of the fines companies may receive for non-compliance. A self-funded regulator, the Information Commissioner’s Office needs the revenue from fines to cover their policing costs, and the fine levels have been set at up to 20 million Euros or 4% of turnover (whichever is higher!). For more in depth information see ICO’s information page here.
Q2) Does it apply to MY organisation?
It applies to any body that holds or processes personal information of EU individuals. Brexit doesn’t exclude UK organisations from compliance!(And here’s a good article that explores that a little more.)
Q3) How do I prepare?
As an IT support company, we are strongly focused on GDPR’s new principle that:
“personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. “
Each business is different, but the first thing that must be examined regardless of what you do, is what personal data is held. GDPR’s new guidelines basically mean that every reasonable effort should be made to secure your data, when at rest or on the move. Do not panic and think that you’ll necessarily need to invest in hundreds of thousands of pounds of new technology, but some form of Intrusion detection and encryption will be a minimum requirement.
Further to that, you should be considering your processes for managing user’s data. Some, but not all, issues this includes are data deletion, right to be forgotten, disclosure and unambiguous consent to hold and use the data. Processes need to be put in place and new contracts drawn up to handle your supplier’s and customers commitments with regard to GDPR.
With so many areas to consider it may be worth seeking external help. Correct Group IT Support have partnered with specialist GDPR consultants to help our clients prepare.
If you’d like a commitment free initial phone call to discuss how GDPR might affect you and whether an independent consultant’s help is necessary, contact Brandon at Correct Group for more information.