GDPR (General Data Protection Regulation)
Are you prepared for GDPR?
Ignore it, and your business is at high risk of a massive fine. Why?
Because the General Data Protection Regulation (GDPR) comes into effect in the UK, unifying the law across Europe.
GDPR is new legislation to replace the UK Data Protection Act. It adds huge legal responsibility for the safe use of data directly onto your shoulders, which any business owner ignores at their peril.
A year ago, TalkTalk was fined £400,000 for data security failings. Under the new GDPR fine regime that would be… £59 million.
So, if it hasn’t hit home yet, your business needs to prepare now. And no, Brexit won’t save UK businesses from this legislation. It’s going ahead…
The sooner you start preparing, the sooner you get your business in order, and the smoother the transition will be – protecting you against a devastating financial penalty.
Call one of our security experts on 0345 450 9393 today, you don’t have long.
- What is GDPR?
It is the General Data Protection Regulation and it replaces both the Data Protection Act and the Data Protection Directive.
- When will GDPR become law?
GDPR was adopted by the EU Parliament in April 2016 and will become UK law on the 25th May 2018.
- Will GDPR remain after Brexit?
Britain will implement and maintain GDPR even after leaving the EU.
- Whose data will GDPR cover?
It will cover all personal data of any living person within the EU.
- What data does GDPR Cover?
GDPR will cover two types of data that will be affected by GDPR. The first is personal data, being any information that can identify a person. This includes the following:
- IP Address
- Location Identifier
- Email Address Photographs Bank Details
The other type of data is sensitive personal data, this includes:
- Race/Ethnic origin
- Health Biometric data
- Sexual Orientation
- How will GDPR change the way we capture data?
GDPR will require companies to show they have obtained consent from individuals to capture their personal data. It should be non-ambiguous to the individual and will need to have the following information: How long the data will be held for What the data will be used for Who else will have access to the data Additionally, individuals should have a choice on whether to give consent. It should also be as easy to withdraw consent as to give it.
- What is a SAR (Subject Access Request)?
A subject can request information regarding their personal data held by a company. Companies have one month to handle the request and report back. If the request is complex, an extra month can be given. Information that can be requested can include: What the information is needed for Who else has access to it Where the data was collected, if it was obtained from another source.
- What is "Right to be Forgotten"?
Individuals can request to have all their personal data erased from the company database and any third-party involved.
- How do you get consent for subjects 16 years and under?
When capturing personal data from an individual under the age of 16, parental consent is needed. Although, some countries may choose to have the minimum age set to 13.
- How long can personal data be retained?
GDPR does not specifically mention how long a company should retain personal data for. However, GDPR does state that personal data should not be retained longer than necessary.
- What happens if a Data breach occurs?
Once a breach occurs, companies will have 72 hours from when the breach was identified to report to the ICO (Information Commissioners Office). If personal data has been leaked, companies will be given the highest fine.
- What are the fines?
Depending on the articles violated, you can face one of two fines. The first fine is 2% of annual turnover or €10 million fine. The second and highest fine can be 4% annual turnover or a €20 million fine.
- What are Controllers and Processors?
The Controller: (an individual) determines the purpose of the personal data that will be processed and should demonstrate compliance with the regulation.
Processors: (a second individual) works on behalf of the Controller. If any breach occurs, the Processor must notify the Controller without delay.
- What about companies outside the EU capturing EU resident’s data?
All companies outside the EU still need to abide by GDPR when handling personal data from the EU. Companies that are not based within the EU and offer services or products within the EU will need a representative within the EU.
- What is a Data Protection Officer and will my company need one?
A Data Protection Officer is a person who oversees the protection of personal data and will ensure the company is compliant with the GDPR requirements. A Data Protection Officer will need to be appointed if the company is storing or processing a large amount of personal data.
- What Certifications will help with compliance of GDPR?
Certifications that can help with compliance of GDPR are; Cyber Essentials, PCI DSS and ISO 27001. Further compliance will still be required, however, without these, non-compliance is guaranteed.