GDPR – General Data Protection Regulation

What is it the EU General Data Protection Regulation or GDPR?

The EU GDPR will be enforced from 25 May 2018, and it is the culmination of years of work by the EU to reform Data Protection regulation into a Union-wide framework instead of a patchwork of country-specific legislations.

The GDPR regulation is intended to strengthen the privacy rights of EU citizens, restore confidence in online activities and better protect customer data by requiring companies to adopt new data protection processes and controls.

Who does the GDPR Effect?

The GDPR should be of global interest as it affects any company doing business with EU citizens, regardless of where the organisation is based in the world.

Why should we be concerned about GDPR?

If your business is not compliant with the GDPR then there fines for breaches of personal data of up to €20m or 4% of the organisation’s worldwide turnover.

Key stipulations of GDPR

1. GDPR has a wider geographic scope. You do not have to be based in Europe for it to apply. Any company that does business with EU residents will be subject to GDPR. Even if you are offering a free service, such as a website that people in the EU access, you may be subject to GDPR if you collect IP addresses or track cookies.
2. The definition of ‘personal data’ has widened and now explicitly includes online identifiers such as IP addresses and mobile device identity.
3. Organisations will need to attain explicit consent from individuals regarding the processing of their data, and companies will no longer be able to use long, illegible terms and conditions.
4. Individuals will also have more rights regarding the processing of their data, for example relating to data erasure (often referred to as the ‘right to be forgotten’) and data portability, which is the right to transmit their data to another controller.
5. Technical and organisational measures regarding the protection of personal data are becoming mandatory, with the GDPR outlining examples of the measures expected. These relate to the hashing and encryption of personal data, the ability to ensure confidentiality, integrity, and availability, and processes to test the effectiveness of security measures.
6. Organisations will need to keep a written (electronic) record of personal data processing activities, capturing the lifecycle of the data and the name and contact details of the data controller.
7. The reporting of personal data breaches will become mandatory and this is to be done within 72 hours of becoming aware of them.

How to comply with GDPR?

In order to comply with the new legislation, the best way to prepare is to implement a solid data protection strategy that guards against loss of data whether through malicious or accidental methods.

How will the new GDPR rules be enforced?

To ensure proper enforcement of the new data protection rules the reform will both step up the powers of data protection officers and allow for substantial fines in the event of breaches.

Firms will have to appoint a data protection officer if they are handling significant amounts of sensitive data or monitoring the behaviour of many consumers.

Do you really need to hire a data protection officer for GDPR?

The short answer is yes. You could share a Data Protection Officer with another organisation or you could assign the role to an existing individual. Their role is to look at the businesses on the side of the regulator who is concerned about protecting the data of EU citizens.

The Next Step…

GDPR IT and Infrastructure Audit

GDPR is all about the information you hold about EU citizens and protecting it, therefore to start this process there are some essentials steps required. Firstly you will need to understand where your data is stored and how is it protected. Our engineers can help assist with this fact finding process by completing a GDPR IT and Infrastructure Audit that will assess where your data is held, how it is currently protect and also provide advice on how to further protect this data.

GDPR Hardware and Software Solutions

As we have mentioned protecting your data is key to ensuring that your business is GDPR compliant. Businesses need to put the right technology in place to protect this personal data. Our team can help provide you with advice on the best solutions available in order to ensure that your data is protected. We can supply, install and support crucial tools including Firewalls, Endpoint protection, Encryption, Ransomware protection, Mobile device protection and more.

GDPR Training

We offer two courses that are specifically designed to help businesses understand the new regulations.

Our one-day course provides a great introduction for those wishing to understand the new laws and it will also help you understand how the regulation works, so you can prepare and work towards compliance.

Our four-day Foundation and Practitioner course provides a detailed introduction to GDPR and a full overview on how to plan and implement a continuous compliance programme. It also enables businesses to fulfil the knowledge requirements of a Data Protection Officer, a position that will become a legal requirement by May 2018.

The Next Step…

If you would like more information about what your business should be doing now to prepare for the GDPR or you would like to book a GDPR audit or a place on one of our GDPR training courses please contact us on 01392 824022 or email us at info@amesolutions.co.uk.