General Data Protection Regulations (GDPR)

“The new General Data Protection Regulations (GDPR) will give us one of the most robust, yet dynamic, set of data laws in the world.” UK Digital Minister, Matt Hancock.

Data Protection is changing and soon.  Will your organisation be ready to comply with these significant and extensive changes?

You have probably heard the term GDPR but, does your business fully understand the changes to be made to data protection laws and, the consequences for non-compliance?

What is GDPR?

GDPR (EU) 2016/679 is a regulation where the European Parliament Council for the European Union and the European Commission intend to strengthen and unify data protection for all in the EU.

Why the change?

The reason is twofold.  Firstly, the new regulations are designed to provide greater control for individuals over how their personal data is used.  Internet giants such as Google, Amazon and Facebook all frequently swap data.  The Data Protection Bill hopes to build trust in an ever-developing digital age.  Secondly, the regulations aim to provide a clearer and safer environment to work in.  The regulations which have taken four years to draft, introduce tougher fines and penalties for breaches and is intended to streamline laws across the EU.

When?

The Go Live date for GDPR is 24th May 2018!

So, time is of the essence.  Are you doing enough to stay in step with data protection?

A recent survey conducted on I.T. professionals by Imperva, revealed that 43% stated that they were assessing the required changes, approximately one third said they weren’t preparing for any changes and 28% were ignorant of any changes their employers were making in preparation for GDPR.

These are worrying statistics.  The rules of the game are changing and that means our behaviour and systems need to change in line, or face the consequences and the consequences are severe!

Does GDPR apply to your organisation?

If you use and hold data then the answer is, yes!

How many data lists do you have stored away in your business?  How much personal data is being held and is it being held securely?  Do you have a process in place to show an individual what data you hold on them and, if necessary, can you delete that data?

GDPR covers ‘controllers’ and ‘processors’.  A controller states how and why data is processed and a processor is the party who actually processes the data.

Controllers must ensure that data is used in a lawful manner and then delete this after use. A record of consent must be given before personal data is utilised.  Personal data includes IP addresses, economic, cultural and mental health information.  People have the right to know if data is being processed and how long it is stored for. Also, they have the right to ask for it to be deleted.

So, if you have staff in your organisation who think it is alright to carry data on memory sticks or leave laptops on trains with information saved on local drives, then you are failing to keep up with current best practice let alone be ready to comply with GDPR next year.

What are the consequences of non-compliance?

If your company choose to ignore the basic principles for processing data, your business will bear the reputational and financial consequences.  Fines for non-compliance are set at 4% of turnover or €20 million (whichever is the greater) and 2% or €10 million, for less serious failures such as failing to keep an up to date audit trail of your assurance policies and procedures.

According to analysis by NCC Group, fines levied by the Information Commissioner’s Office against businesses in 2016, would have been £69 million and not £880,500 had GDPR been in place.

Where do you start? 

Each organisation may face different priorities depending on the sector you are in, but a good starting point is your data storage.  Do you know where all your data is stored and critically, who has access to it?  Look at all your departments across your organisation and assess the data that is stored.  Ask who has access to that data and should they have access to it?

It is crucial to get all your staff on board.  This is a team effort.  Your whole organisation should be working together to change old practices and mindsets, and adhere to new policies.

How can GDPR Training help with compliance to the new regulation?

Training your staff is paramount and this should be ongoing.  Your personnel need to be informed regularly and any new systems or suppliers assessed appropriately. Keep GDPR at the top of your agenda!

If your staff do not understand the basic principles of data processing, VinciWorks’ cyber security training can help raise awareness of the potential threats to your business and how digital information can be compromised.  It shows how individuals can develop good security practices with recommendations for avoiding malicious activities.

VinciWorks’ GDPR compliance training course outlines the new General Data Protection Regulation. The course covers how GDPR is different from the Data Protection Act, what the changes mean for those who process personal data and what is required to remain compliant.

By providing GDPR training to your staff, you are ensuring that they understand the importance of GDPR to their role and to the organisation. These include the financial and reputational risks as well as the risk of disciplinary action if they were responsible for a data breach which harms the organisation. It is vital that staff know what to do if there is a data breach and how all data across the organisation is affected by the new Regulation.

The GDPR training also needs to be relevant. Employees should feel that the training material relates to them with links to relevant policies and procedures. VinciWorks’ GDPR compliance training is fully editable, so you can amend the content to make it relevant to your own approach to GDPR.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.