Unless you’ve been living in a cave for the last few months, you’ll be aware of the new General Data Protection Regulations (GDPR) which are due to come into force across Europe from May 25, 2018. They may not be the most interesting subject to discuss in your local pub or coffee shop, but they’re extremely important for businesses and organisations of all sizes.
What is GDPR and why is it important?
In recent times, big companies such as Google and Facebook have used data about us to tailor their products and services more closely to our personal preferences. This has had many benefits but has also triggered instances where the data has been misused. GDPR has been brought in to address this – a new set of rules introduced by the EU to replace existing data management and protection laws across Europe. The idea is to create a uniform set of rules that can be enforced across the continent, and to give people more control over how data about them is obtained and used.
What are the new rules?
Under the new laws, you’ll have to explain what data you hold, why you have it and how you’re managing it. You must also be able to say who in the organisation is responsible for the data and ensure you have a secure environment in which to store it.
How will they affect my business?
You’ll need to react quickly to an individual’s request to access or remove their personal data from your records or stop their data from being processed. You must also be able to prove that an individual has given consent to receive communication from you, such as a newsletter. This includes an audit trail to show what they have opted into, how and when. Also, you should ensure your business security systems are equipped to spot and react to breaches quickly; certain breaches must be reported to the Information Commissioner’s Office within 72 hours. In some cases, you’ll also have to inform individuals who have been affected by the breach.
How long do I have to prepare for the new rules?
Not long! UK businesses must comply before May 25, 2018.
So how do I comply with them?
There’s plenty to do. Firstly, you’ll have to keep a record of how and when an individual gives consent to store and use their personal data. It would be a good idea to adopt Cyber Essentials, which is essentially a good practice guide to looking after your IT systems. It was launched by the Government in 2014 to help businesses protect themselves against internet-based threats. To complete the Cyber Essentials certification process, your organisation must ensure that it has up-to-date firewalls, malware protection and good patch management processes in place.
GDPR seems like too much hassle. Do I have to comply?
In short, yes. Fines of up to €20m or 4% of global annual turnover for the preceding fiscal year (whichever is greater) will be imposed. That could ruin a business, so the message is: prepare now.
Ok, I use all sorts of mobile devices in my business. How do I ensure they are ‘GDPR-ready”?
Conduct an information audit so you know what devices you hold within the business, how many, and what data is stored on them. Make sure you protect your mobile devices from security threats and establish a clear boundary between the user’s personal data and the business data on their work mobile device. To put it simply, good mobile device management is an essential component of your GDPR compliance. It would be worth investing in a highly secure IT platform that manages and protects all of your devices while allowing authorised users access to data.
I could do with some help – where do I get it?
You can visit the Information Commissioners Office (ICO) https://ico.org.uk/global/contact-us/helpline/. Alternatively, contact a reputable company with knowledge of how to comply with the new laws.
For more information on how we can help you prepare for GDPR, please email us at [email protected] or call us on 0330 22 33 011.