The General Data Protection Regulation (GDPR) is a European Union information security directive which protects individuals by safeguarding the processing and movement of personal data. GDPR replaces the Data Protection Directive 95/46 EC on 25th May 2018. The government has confirmed that the UK’s decision to leave the EU will have no impact on commencement of GDPR. Failure to comply will result in huge fines of up to 20 million euros or 4% of global annual revenue – whichever is higher.
The EU’s General Data Protection Regulation website says: ‘GDPR is the most important change in data privacy regulation in 20 years’. GDPR addresses the shortcomings of the current Data Protection Directive 95/46/EC which has been subject to varying interpretations. Privacy laws between EU countries have become inconsistent. This problem, together with the increasing sophistication of cyber-crime technology, rising security breaches and globalisation have resulted in the need for tighter information security legislation. The EU website says that GDPR will ‘harmonise’ data protection laws across Europe to give greater protection to individuals.
Yes. GDPR applies to every organisation in the EU and those outside the EU if they offer goods/services or handle the data of EU subjects for any purpose.
Businesses will be more accountable for protecting people’s personal information. Recently, huge data breaches have affected large companies like LinkedIn and Yahoo. Under GDPR, it’s mandatory for UK companies to report information security breaches to the ICO and to the individuals affected within 72 hours of identification. Companies that have over 250 employees must document why people’s information is being collected, describing what’s held, how long it will be kept and the security measures in place to protect the information. Companies must also show that they regularly and systematically monitor all activities on personal data. This might mean that your business needs to employ an extra person to cover this role.
GDPR gives individuals more power to access their personal information. Currently Subject Access Request (SAR) allows businesses to charge £10 to supply information, but under GDPR, access is free of charge. GDPR gives individuals the power to have their personal information erased in some circumstances such as when it’s no longer needed for the purpose it was collected. In addition, GDPR gives individuals more rights over the processing of the data held. ICO says that individuals ‘have the right not to be subject to a decision’ if it produces an effect on them. There are some exceptions, but in general, people must be provided with an explanation of the decision.
If companies don’t process individual’s data properly, don’t have a data protection officer when they need one, or have a security breach they can be fined. As the Star Trek Borgs say, ‘you will comply’ and ‘you will adapt’. The fines ensure that when it comes to information security, there’s no choice.
Begin by identifying the processes, policies and procedures that your business has in place and what needs changing for GDPR. Examine where EU citizens’ data is currently being held and the level of information security. Look at how long data is being stored; whether any unnecessary data is being held that could be deleted; who has access to the data and why; and how access to data is currently being monitored, how often and by who.
NDC Global Auditors are offering free Data Security & ISO27001 Information Security seminars in partnership with Soitron UK. Our aim is to help you understand GDPR and to establish the next steps for your business.
Together with our technical experts at Soitron UK, NDC Global Auditors can support you to:
The General Data Protection Regulation’s main objective is to establish data privacy as a fundamental right. Over time, your business will know exactly what’s expected, you will have information security experts in place to maintain your data management systems, and data protection will be firmly embedded in your ethos. Although GDPR seems overwhelming, increased information security is intended to have a positive impact on everybody.