• ISO9001 Quality Management
    Systems (QMS)
  • ISO14001 Environmental Management
    Systems (EMS)
  • ISO50001 Energy Management
    Systems (EnMS)
  • ISO45001 Health & Safety Management
    Systems (OHASMS)
  • ISO27001 Information security
    management systems (ISMS)

What does GDPR mean for my business?

16 Oct 2017

The General Data Protection Regulation (GDPR) is a European Union information security directive which protects individuals by safeguarding the processing and movement of personal data.   GDPR replaces the Data Protection Directive 95/46 EC on 25th May 2018.  The government has confirmed that the UK’s decision to leave the EU will have no impact on commencement of GDPR.  Failure to comply will result in huge fines of up to 20 million euros or 4% of global annual revenue – whichever is higher.

Why is GDPR replacing current legislation?

The EU’s General Data Protection Regulation website says: ‘GDPR is the most important change in data privacy regulation in 20 years’.  GDPR addresses the shortcomings of the current Data Protection Directive 95/46/EC which has been subject to varying interpretations.  Privacy laws between EU countries have become inconsistent.  This problem, together with the increasing sophistication of cyber-crime technology, rising security breaches and globalisation have resulted in the need for tighter information security legislation.  The EU website says that GDPR will ‘harmonise’ data protection laws across Europe to give greater protection to individuals.

Will GDPR affect my business

Yes.  GDPR applies to every organisation in the EU and those outside the EU if they offer goods/services or handle the data of EU subjects for any purpose.

What’s different about GDPR?

1. Accountability

Businesses will be more accountable for protecting people’s personal information.  Recently, huge data breaches have affected large companies like LinkedIn and Yahoo.  Under GDPR, it’s mandatory for UK companies to report information security breaches to the ICO and to the individuals affected within 72 hours of identification.  Companies that have over 250 employees must document why people’s information is being collected, describing what’s held, how long it will be kept and the security measures in place to protect the information.  Companies must also show that they regularly and systematically monitor all activities on personal data.  This might mean that your business needs to employ an extra person to cover this role.

2. Clients can access the information you hold about them

GDPR gives individuals more power to access their personal information.  Currently Subject Access Request (SAR) allows businesses to charge £10 to supply information, but under GDPR, access is free of charge.  GDPR gives individuals the power to have their personal information erased in some circumstances such as when it’s no longer needed for the purpose it was collected.  In addition, GDPR gives individuals more rights over the processing of the data held.  ICO says that individuals ‘have the right not to be subject to a decision’ if it produces an effect on them.  There are some exceptions, but in general, people must be provided with an explanation of the decision.

3. Fines can be around £17 million

If companies don’t process individual’s data properly, don’t have a data protection officer when they need one, or have a security breach they can be fined.  As the Star Trek Borgs say, ‘you will comply’ and ‘you will adapt’.  The fines ensure that when it comes to information security, there’s no choice.

What steps should my business take now?

1. Become familiar with the standard

Read:

2. Carry out a gap analysis

Begin by identifying the processes, policies and procedures that your business has in place and what needs changing for GDPR.  Examine where EU citizens’ data is currently being held and the level of information security.  Look at how long data is being stored; whether any unnecessary data is being held that could be deleted; who has access to the data and why; and how access to data is currently being monitored, how often and by who.

3. Plan for implementation

Think about:

  • Whether you need to appoint a data protection officer to ensure compliance.
  • How data flows across different borders within the EU and outside it.Prepare for data subjects to be able to exercise their new rights under GDPR.
  • Having a battle plan.Once you’ve carried out a gap analysis, how will you prioritise your resources to address gaps?

Where can I get help?

1. Free Data Security & ISO27001 Information Security seminar

NDC Global Auditors are offering free Data Security & ISO27001 Information Security seminars in partnership with Soitron UK. Our aim is to help you understand GDPR and to establish the next steps for your business.

2. Consultancy, training and technical support

Together with our technical experts at Soitron UK, NDC Global Auditors can support you to:

  • Carry out a gap analysis of your existing information security management system.
  • Develop robust it systems that comply with GDPR.
  • Implement and maintain ISO27001 – the accepted global benchmark.
  • Train your data controllers and data processers.

Finally… stay positive!

The General Data Protection Regulation’s main objective is to establish data privacy as a fundamental right. Over time, your business will know exactly what’s expected, you will have information security experts in place to maintain your data management systems, and data protection will be firmly embedded in your ethos.  Although GDPR seems overwhelming, increased information security is intended to have a positive impact on everybody.

“The EU data protection reforms promise to be the biggest shake up for consumers’ data protection rights for three decades. Organisations simply cannot afford to fall behind. We know data protection officers understand this, and we know they sometimes find their views ignored in the boardroom. The new law gives directors 20 million reasons to start listening.”

Christopher Graham, Information Commissioner, ICO.
ISO 50001 audit tool

© Copyright All Rights Reserved, NDC Certification Services Ltd. 2020.