General Data Protection Regulations
(GDPR) Regulation (EU) 2016/679
ISO Consultant Rob says…
GDPR – What’s it all about?
The requirements put in place by the General Data Protection Regulation form a piece of European Legislation, rather than simply a guideline. This means that individual governments don’t need to pass any additional acts or laws for this to become a legal requirement for ALL European businesses (and businesses handling European data!) in May of 2018.
The UK’s departure from the EU will not affect the legislation. – it will continue to apply indefinitely afterwards. The legislation is based around the individual’s right of access and control of their own data.
Data Protection legislation is not new; the first UK Act was instituted in 1984; GDPR is simply the culmination of everything learnt so far, then applied to the 21st century, digital-dependent business world.
Securing Sensitive Info (data)
With GDPR, data security needs to become a central part of your business operation, rather than (typically) being hived off to the IT department.
A Key requirement is that data is protected “by design and default”. This means a requirement to have a developed and documented system in place that protects your data to the greatest extent you can.
This applies to all aspects of data processing from initial collection, to storage, and even destruction.
The requirements for collecting & keeping data are clear and the legal ramifications of not complying will be harsh.
A core principle: – to be lawful, the data you have needs to be limited to what information is directly relevant to your business and you must have the consent of the data subject.
There are exemptions for data kept in the interest of the data subject, kept in the interest of the general public or kept for legal reasons (such as contracts or sales orders).
So What’s Required?
A good question without a quick answer! GDPR contains several explicit provisions and rules regarding issues such as Automated Profiling and Direct Marketing.
GDPR defines two types of organisation.
Different questions need to be asked and different controls put in place, depending on which one you are.
These two types of organisations are called Processors and Controllers. Realistically, most companies will have aspects of both of these definitions, but it is important nonetheless to differentiate which you are.
A further important aspect of GDPR is identifying and categorising the data you hold; if it is considered High Risk you will need to complete Data Protection Impact Assessments (also known as Privacy Impact Assessments) which are used to identify and address any risks associated with the holding; potential damage to, or loss of an individual’s data.
What can we do to help?
GDPR is a major business issue. If what you’ve read so far makes this appear daunting, there’s no need to be too concerned – we can help you get ready for GDPR implementation and continue to comply with it.
We currently offer the following routes in helping customers comply with GDPR
At this time we have two options available for clients pursuing and implementing GDPR.
A Company Wide Gap Analysis
(Face to Face)
Direct Consultation with detailed Gap Analysis.
Closing Report and recommendations on how to get ready for GDPR.