What to expect from the General Data Protection Regulation
Regardless of the effects of Brexit, UK SMEs and large organisations alike that process data regarding EU individuals will be subject to the General Data Protection (GDPR)
‘Processing’ of data refers to obtaining, disclosing, recording, holding, using, deleting or destroying personal information.
A wider reach than ever
The territorial reach of the GDPR is considerably broader than the UK’s current Data Protection Act.
You will be subject to the GDPR if you: –
- hold data about individuals that reside in the European Union
- handle data in the context of offering goods or service to an individual in the EU, or
- you monitor their behaviour.
The GDPR is subjective
It’s about the data not the Company. It’s about whether the data you handle concerns individuals residing in the EU, not whether your organisation is in the EU. Indeed, even monitoring the behaviour of an EU individual, through implementing website cookies on your site, for example, can make you liable to the GDPR.
Monitoring features like cookies are now more or less ubiquitous, companies that offer a digital service like a web app, platform or website (which is more or, less every company) accessible by EU individuals must comply with the GDPR by 2018.
The new regulation also voids the distinction between personal and business addresses. A marketing email that identifies a person i.e. email@example.com, for instance, will require consent. Whether your business is B2C or B2B, the incoming changes will most likely affect you.
Ill-prepared for change
When the GDPR was proposed in 2015 only 1% of Cloud service providers, were prepared. Suppliers had significant issues around new regulatory requirements, from data breach detection to encryption and data deletion policies.
Now that the GDPR has a formal start date, these issues must be rectified.
The GDPR is casting a much wider net when it comes to the collection, storage and use of EU citizens’ personal data. As such, you need to be more vigilant than ever when it comes to data protection.
The following are five areas of focus when it comes to data protection best practice: –
1. Secure the Cloud
Processing data in the Cloud presents a risk. Personal data which you are responsible for is not within the confines of your on-premises network, it is processed by your Cloud provider.
2. Understand what you have
Given just how much data we now generate, part of keeping it secure involves understanding which information is and isn’t valuable to your Company.
- Necessary – ensure you only collect the most necessary information.
- Secure – it is your legal obligation to keep Customer information secure. Data encryption and User training are vital parts to this
- Readily available – under the GDPR, an individual can ask if your Company holds any personal information about them, known as a ‘subject access request’. In this case, you must reply within 40 days. Make sure that your staff can recognize subject access requests and quickly find the relevant information.
3. Staff Training
Whether intentional or not, it’s common for employees to be the main contributors to data breaches. Accidental disclosure and human error, from sending an email to the wrong recipient, to opening an attachment with malware are the main causes for breaches in personal data, according to the UK’s Information Commissioner’s Office (ICO).
By ensuring your employees acknowledge and understand their roles and responsibilities, you can greatly improve data protection across your organisation. Train your staff to ensure they understand the right and wrong places to share information regarding the company or customers.
4. The right to retain
It is good practice to review and refine the length of time you keep personal data. Ensuring that personal data is disposed of when no longer needed will greatly reduce the risk that it will become out of date, irrelevant or inaccurate.
5. Audit your activity
Unaware or inexperienced Users are more prone to mistakes when it comes to keeping content secure. Running audit logs are a great way to keep on top of Company content, where it’s going and who it is accessed by. By monitoring your systems and services, you can be alerted to any suspicious behaviour or activity. So, make sure this is the case in your organisation, ensure you can check what software or services are running on your network and make sure you can identify when there is something there which should be.
With only a year to ensure your business is fully compliant, do you have enough time.