What does GDPR Mean to My Business? – Part 1
General Data Protection Regulation (GDPR) has become quite a buzzword in 2017. With its enforcement on May 25, 2018, many businesses have started preparing themselves for the change. But, the most obvious question that strikes everyone mind is: “What does GDPR mean for me and my business?” The answer to this question is simple - “IT MATTERS A LOT”. After all, GDPR is enforced to make the companies abide the security and privacy factors when maintaining personal information and data of the customers. The purpose of its implementation is to update the existing Data Protection Directive. With the update, the entire process of creating, using, sharing, and storing information was leveled for better data privacy and security. When compared with the past, the effectiveness of GDPR in 2018 will have a huge impact which has already made companies follow the rules much more rigidly, and that, by companies across the globe.
Here are some key points to consider while preparing your organization for GDPR compliance -
Wider Geographic Scope
GDPR is not only applicable to the companies based in Europe, but in fact, for all the companies across the world because maintaining privacy and security is a global objective.
If you process or hold information on people then it applies to you (this could be a name and email address or phone number, it has been defined as 2 pieces of information that could be used to identify an individual). So, even if you are running a business online, you are also subject to GDPR in case you collect IP addresses or track cookies.
Breaches of personal data are bound to make a company face severe penalties. According to Data Protection Authorities (DPA), for serious infringements a fine of 4% of annual global turnover or €20 million would apply, while for less serious infringement, a fine of up to 2% of global annual turnover would apply.
Organisations Need Explicit Consent from Individuals
Processing customer’s data is no longer an easy thing for organisations because they need to take explicit consent from individuals. In simple terms, individuals are given more rights for processing and transferring their data. Moreover, companies will no longer be able to use illegible terms and conditions. The proof of consent also needs to be available on demand with accuracy and can be requested at any time.
Protecting customer’s data is mandatory for all companies. This relates to hashing and encryption of personal data in order to keep the information confidential and secure. With the help of data encryption, the potential impacts of data breach also get reduced as information cannot be identified without the encryption key. Even if a breach occurs on any system, the information would still remain secure, thus saving the company from GDPR penalties. THIS IS A KEY PART OF GDPR - If the data is encrypted you are not obligated to report any breach to the authorities or the end user.
Also, encryption of personal data is possible with an existing database format, which helps reduce the work pressure of the company experts since they do not require re-development of current systems and applications.
Data Processing Registry is Mandatory
Companies now need to keep a track of all the data by registering their data in the systems. This means they need to keep electronic record of personal data, which includes the name and contact details of the data controller.
Reporting of Personal Data Breaches is also Mandatory
According to GDPR regulation, businesses need to inform DPA about data breach within 72 hours. If the breach is high, i.e., if it might affect the individuals up to a great extent, they need to be informed without delay. This is not applicable if the data in question is encrypted.
Hire a Data Protection Officer (DPO)
Hiring of Data Protection Officer (DPO) is must, if any organisation is dealing on a large scale of data protection. The DPO will keep an eye on all the activities and monitor whether the organization is operating in compliance with the regulation. Smaller organisations should put sensible policies in place which they can show and adhere to.
Businesses require maintaining data protection by design and by default. This means businesses would require conducting data protection assessments for new products, services and other data processing services.
All data must stay within the EU (this includes via cloud services), if that is not possible and with good reason then a legal agreement should be in place to protect the data in the event of a breach and to make sure the company providing the service is aware of their obligations under GDPR and consent to complying with it.
Data Access Requests
Data is encrypted only in order to keep it safe. Customers have the right to obtain their own unencrypted data from the data controller. They can also demand their data be removed from the controller's systems. This must be done on request and must be complete, i.e. not leaving it on a backup drive for example.
Data Loss Protection
Prevention of data loss is must, and this is made possible with Data Loss Protection (DLP) software. Outgoing emails, messages, and files which are not encrypted are debarred from outgoing. The encryption of data is must in order to protect and safeguard it from the loss. So, these are a few key points, necessitated by the GDPR changes, which every organization needs to abide by in order to protect customer data. However, any organization cannot make the data encryption task possible all alone. In fact, legal and information security team efforts are also equally essential to comply with these laws. Though many companies are struggling to abide by the rules and regulations of GDPR, they are failing to protect their customer data because of lack of budget and business-level support. Therefore, to meet the requirements of GDPR, it is important for every company to not only have the right expertise but have the right finances, resources, and senior-level support. In fact, only an ideal blend of all these can help in keep up with compliance and keep the data secure. So, what’s your call?
Please give us a call us on +441603 670682 to discuss GDPR in more detail and how we can help you and your IT system. Also keep an eye on www.s2-computers.co.uk/blog for part 2 of this blog.