GDPR (General Data Protection Regulation) will change how businesses in the UK collect and manage data. With GDPR becoming effective from 25th May 2018, it is imperative that businesses act now to ensure that they are compliant.
WHAT IS GDPR?
The General Data Protection Regulation (GDPR) is a regulation designed to strengthen and unify data protection for all individuals within the European Union, as well as dealing with the export of personal data in the rest of the World. The aim of the GDPR is to give more control to individuals over their personal data, as well as simplifying the regulations around international trade by unifying regulations throughout the EU. GDPR comes into force on 25th May 2018, meaning that organisations should act now to ensure they comply with the requirements.
The Information Commissioners Office (ICO) have identified 12 steps organisations should take now:
1. Awareness. Ensure key individuals in your organisation are aware of the changes.
2. Information. Document what personal data is held, where it came from and how is it shared.
3. Communicating. Review privacy notices and prepare for potential changes to these.
4. Individuals. Check procedures cover individuals’ rights, including how data would be deleted or provided electronically.
5. Data Subject access requests. Update procedures and plan how requests will be dealt with.
6. Lawful basis. Identify the lawful basis for processing activity in the GDPR and update privacy notice to include this.
7. Consent. Review how consent is obtained and update existing consents if they don’t meet new standards.
8. Children. If you hold information on children, you need to consider age verification and parental consent.
9. Data breaches. Are procedures in place to detect, report and investigate a data breach?
10. Impact assessments. Familiarise yourself with the ICO’s code of practice as well as the latest guidance and decide how and when to implement these.
11. Data protection officers. Designate a member of staff to take responsibility for data protection compliance. Consider whether a formally designating Data Protection Officer is required.
12. International. If your organisation operates in multiple EU member states, identify which data protection supervisory body you are working under.
WHAT ARE THE KEY CHANGES TO ADDRESS THE GDPR?
Individuals have the right to:
• Access their personal data
• Correct errors in their personal data
• Erase their personal data
• Object to processing of their personal data
• Export personal data
Organisations will need to:
• Protect personal data using appropriate security
• Notify authorities of personal data breaches within 72 hours of becoming aware of said breach
• Obtain appropriate consents for processing data
• Keep records detailing data processing
Organisations are required to:
• Provide clear notice of data collection
• Outline processing purposes and use cases
• Define data retention and deletion policies
IT & Training
Organisations will need to:
• Train privacy personnel and employees
• Audit and update data policies
• Employ or assign a Data Protection Office (if required)
• Create and manage compliant vendor contracts.
WHAT HAPPENS IF I DON’T COMPLY?
GDPR non-compliance will have far tougher penalties than previously under the Data Protection Act (which had a theoretical maximum of £500,000). Organisations in breach of GDPR can expect fines of up to 4% of annual global turnover or €20 million (whichever is greater).
HOW CAN AKITA PREPARE YOU FOR GDPR?
Akita can advise on the ways in which you can improve your data security:
• GDPR Audit of data access permissions.
• Implementing 2 factor authentication for all remote users.
• Better integrating Akita into your formal starter and leaver processes.
• Reviewing users and group memberships.
• Identifying users with remote access.
• Compartmentalising data such that only those who need access actually have it.
• Reviewing your backup strategy.
• Reviewing your disaster recovery plan.
• Implementing next generation firewalls to provide enhanced web protection.
• Implement active threat detection.
• Train users in how to effectively recognise any dubious emails.
For more details about our GDPR Audit and other services, contact our team on 01732 762675 or fill out the contact form.Other services Contact us