Guide to General Data Protection Regulation for Your Business
This document is provided to help understand the General Data Protection Regulation (GDPR), what it means to your business and what San-iT can do to help conform with GDPR.
Please take the time to read the below as it affects your business and if your business is not compliant by May 2018 you will be potentially liable to fines. I have kept the content as short as possible but with the nature of the change in law, there is a lot to consider.
The GDPR is coming into effect May 2018 which replaces the UK Data Protection Act 1998.
After May 25th 2018, businesses that don’t know what personal data they hold, or don’t do enough to protect it, face potential fines. Many organisations are unaware of what action is required to conform with the GDPR.
There is a points based system with a maximum score of 364 which means the higher your score the more compliant you are likely to be. The target score is above 300. The current UK average is 30 points which demonstrates how ill prepared businesses are in adopting GDPR.
Below I have detailed some headlines and actions that should be taken to help understand what is involved.
GDPR Summary:
1. All organisations need to be able to discover, classify, secure and report on all EU citizen Personal Identifiable Information (PII);
2. Regulators can request an Information Governance report detailing what PII is stored, why it is stored, what it is used for, how it is stored, how it is processed, who it is shared with and how it is classified;
3. PII data must not be leaked or assessable to unauthorised parties – any breach will also result in a fine;
4. Failure to provide the report or any leakage of data may result in substantial fines (€20 million or 4% of global revenues, whichever is greater) from the regulator;
Why does GDPR matter if we are leaving the EU?
We will still be in the EU in 2018 – the UK won’t leave until 2019. In any case, the UK Information Commissioner’s Office (ICO) intends to enforce the rules regardless.
In fact, it goes much wider than the UK. Any business that sells to the EU will need to meet the regulations, or risk being sanctioned or banned from providing goods and services to Europe, but for UK firms, that hardly matters – the ICO will insist on GDPR being implemented regardless.
When will it be enforced and who by?
In the UK, the ICO will act as the regulator. It can be expected to enforce GDPR, and as recently as June 2017, the ICO fined Gloucester City Council £100,000 for leaving personal information vulnerable to attack. This happened after a cyber-attacker exploited a weakness in the council’s website in July 2014, which led to over 30,000 emails being downloaded from Council mailboxes. This fine was imposed under the Data Protection Act of 1998.
The Data Protection Act (DPA) was implemented under an EU directive and GDPR is effectively an update and extension of this law. The ICO will simply be doing what it always has done when GDPR comes into force – but with bigger potential fines. Under GDPR, organisations will face fines of up to 4% of their global turnover or €20 million, whichever is greater. Under the Data Protection Act, the maximum fine was £500,000.
What do you need to know?
· Data held on EU subjects must only be used for the purpose agreed when the data was collected. It can include names, addresses, emails, telephone numbers as well as social media updates, pictures, and IP addresses;
· Organisations must ensure that they provide the ‘right to erasure’ on an individual demand (Article 17 of the GDPR); this was not in the previous Data Protection Act 1998 Directive;
· Data must be portable via open and popular file formats;
· Processes and workflows will need to be reworked to build in ‘privacy by design’;
· Organisations of all sizes will need to appoint Data Protection Officer(s) who will be answerable to the Data Protection Authorities (the ICO in the UK)
· Notification of a Data Breach must be within 72 hours of the discovery of a breach and should be to:
o The Data Controller (if you are a Data Processor);
o The Regulators (e.g. UK Information Commissioner’s Office – ICO);
o The Data’s subjects;
· A Data Controller is a person who specifies the purposes for which personal data will be used and how data will be processed;
· A Data Processor is a third-party person (not employed by the Data Controller) who organises, adapts, retrieves, discloses or shares the data on behalf of the Data Controller;
· The notification must at a minimum describe the personal data breach, the scale of the issue, the data protection officer’s contact details, likely consequences of the breach and how this is being dealt with;
· There is no certification or accreditation for GDPR which means that organisations are never going to achieve GDPR compliance. If an organisation does leak/lose any EU resident’s PII, the ICO will take into consideration the processes, workflows and security it has put in place to protect the EU resident’s PII when determining the size of the fine;
What do I need to do?
Below are 12 key points detailing what you need to do:
1. Awareness
You should make sure that decision makers and key people in your organisation are aware that the law is changing to GDPR. They need to appreciate the impact this is likely to have.
2. Information you hold
You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit and restructure your data.
3. Communicating privacy information
You should review your current privacy notices (if applicable) and put a plan in place for making any necessary changes in time for GDPR implementation. Review the ICO document at http://www.eugdpr.org/
4. Individual’s rights
You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data electronically and in a commonly used format. The main GDPR rights for an individual are to have:
· Subject access requests;
· Inaccuracies corrected;
· Information erased;
· Prevention from direct marketing;
· Prevention from automated decision-making and profiling;
· Data portability;
5. Subject access requests
You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information. GDPR will, normally, not allow you to charge for complying with a request, and requests should be complied with in 30 days.
6. Legal basis for processing personal data
You should look at the various types of data processing you carry out, identify your legal basis for carrying it out and document it.
7. Consent
You should review how you are seeking, obtaining and recording consent and whether you need to make any changes. Consent needs to be explicit and not inferred from silence, inactivity or pre-ticked boxes.
8. Children
You should start thinking now about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity. In the UK, the ICO considers children to be anyone under 13 years old.
9. Data Breaches
You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
10. Data protection by design, and data protection impact assessments
You should familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessments and work out how and when to implement them in your organisation. http://www.eugdpr.org/
11. Data Protection Officers
You should designate a Data Protection Officer if required, or someone to take responsibility for Data Protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. (Organisation with 250 employees or more must appoint a Data Protection Officer (DPO) who is responsible for ensuring that personal data that is collected is secured responsibly.)
12. International
If your organisation operates internationally, you should determine which data protection supervisory authority you come under.
The Information Commissioners Office has published a self-assessment tool to help assess where your business is in terms meeting GDPR requirements which can be found here.
What can San-iT do to help?
San-iT already have a huge focus on security and data protection and we have systems in place which tick a lot of the boxes for GDPR.
The majority of GDPR compliance boils down to having best practices in place and stringent processes to support this so in the event that a data breach is apparent, you can easily demonstrate that adequate protection is in place and that processes are followed which are acceptable to limit the breach and potential damage.
If your business is predominantly Cloud based, then your data access and protection will be considerably more advanced and better protected than if your data was located on-premise at your business. This means to get your business above the target score of 300, there is a process that can be followed along with a report to demonstrate compliance. This could include items such as Multifactor authentication for example which is the same technology that is used for accessing online banking.
If your business is predominantly on-premise, meaning that data resides on servers and systems located at your business premises, more is involved to secure the network and the data contained within it. This may mean that security appliances need to be installed, working practices changed and an additional level of complexity needs to be added to demonstrate compliance.
As part of Digital Transformation and moving to Cloud Technologies, a lot of the GDPR compliance is covered. There are also advanced threat analytics and ways for securing data with various products designed specifically for GDPR which also improve business processes and working practices.
For further information on how to work toward compliance for GDPR, please contact the team at San-iT
www.San-iT.co.uk 0161 359 3689
