What is GDPR?
The General Data Protection Regulation(GDPR) will be replacing both the Data Protection Act and Data Protection Directive, to have one regulation for all organisations to follow. GDPR was made law on the 27th April 2016 and will be enforced from the 25th May 2018. The aim is to reduce confusion and ensure companies follow the correct regulation.
Who Will It Affect?
Whether you are a data controller or a processor, GDPR will affect any company worldwide that is handling personal data from residents within the EU. If you are a controller, you will need to clearly state why you are capturing the data, what you will be using it for and how long the data will be stored for.
If you are a processor, you will need to ensure that all processing activities are recorded. You are required to notify the controller of any breaches that may have occurred.
Why Is GDPR Being Introduced?
GDPR is replacing the Data Protection Directive, introducing new requirements for companies to follow and having stricter punishments for those not following the framework.
The regulation allows subjects to have more power over the personal data companies store on them, allowing subjects to submit a subject access request, requiring any information held about an individual to be shown to them.
GDPR also ensures that all business that deal with personal data within the EU have a clear framework to follow, ensuring they handle personal data competently, professionally and with care.
What Can Businesses Do To Become Compliant?
– To prepare for GDPR you need to ensure you know exactly what information you are capturing, what the information will be used for and if any other parties will be using it. After identifying where the information will be processed and stored you can then plan the procedures to handle the information for any Subject Access Requests and put the security controls in place to protect the information.
– When it comes to security, GDPR only mentions two types of security. The first is to ensure that encryption is in place for all personal data, this is when the data is in both rest and transit. The other type of security to have in place is Pseudonymisation, this is the process of having personal data stored to make it no longer able to identify a specific data subject without the use of supplementary information.
– Additional security requirements are needed to prevent data breaches that can cause harm to the subjects (e.g. identity theft, financially). Improving the security for individual computers is essential. It is wise to have EndPoint Anti-virus software installed and active, all software to be up to date; ensure the Firewall is active and regularly updated, to ensure all (networking) that are not necessary to be closed. When it comes to the network within the company, it is vital to ensure that there is a Firewall in place and active on the boundary of the network and to ensure that the rules are only allowing permitted traffic into the network.
If you are still unsure of what you need to do to make your business compliant, book a meeting with one of our experts by calling 0345 450 9393(Opt 1) or attend our Cyber Security Event on 11th May, at the Episode Hotel in Leamington Spa.
Click the link below to book your ticket.
Cyber Security Event: https://gdpr-last-call.eventbrite.co.uk