When the European Union’s General Data Protection Regulation (GDPR) comes into force in May 2018 it will transform the way that any organisation has to look after personal data. Increasingly however, we are finding organisations are “GDPR-ed” out – exhausted and already switched off by the mountain of information out there. So, why is it important and how can you get your house in order?
GDPR matters – So what is the GDPR?
It is a new EU regulation governing how organisations should store, handle and protect anyone’s personal data.
A lot of what it covers is already in the UK’s own Data Protection Act but basically any organisation, regardless of size, will need to keep a record of all personal data held, show what that data is being used for, highlight how it is being protected, prove that consent was given for its use and ultimately show where it ends up.
The GDPR is the biggest ever overhaul of data protection regulations and critically, if an organisation suffers a cyber-attack or other data breach it will not only have a mere 72 hours to report it but it could literally bankrupt your organisation via huge penalty fines.
What is personal data you may ask? Well the definition of personal data has now been extended to include additional categories such as your computer’s IP address or your genetic make-up – it is essentially anything that could be used to identify you.
Why should organisations care?
We are already hearing people complaining about the amount of information that is being regurgitated about GDPR. However, if you are found to be non-compliant then this could lead to huge fines of up to 20 million euros – or 4% of global turnover. For many of our clients, that figure could amount to millions – possibly billions.
The BBC recently quoted Consult Hyperion, an electronic financial transactions specialist, who forecast that European financial institutions could face fines totalling 4.7bn euros (£4.1bn; $5.3bn) in the first three years following the GDPR coming into force.
Moreover, the article quotes Anthony Lee, a partner in law firm DMH Stallard, as saying: “Talk Talk [a UK telecoms company] was fined £400,000 for failing to prevent the 2015 customer data breach, but under the new regime fines could be many multiples of this.”
But what about the benefits of getting data protection right? Rather than focussing on the big fines, a spokesperson for the UK’s Information Commissioner’s Office (ICO) – stated within the article that “There is a real opportunity for organisations to present themselves on the basis of how they respect the privacy of individuals – and gain a competitive edge…. if your organisation can’t demonstrate that good data protection is a cornerstone of your business policy and practices when the new law comes in next year, you’re leaving your organisation open to enforcement action that can damage both public reputation and bank balance.”
What should businesses be doing?
One of the many reasons we hear for a lack of preparation is key knowledge surrounding the data that organisations hold – so one of the key tasks we would suggest you do now, is to carry out a data audit. If you don’t know what data you hold or where it is stored, then this is certainly a potential security weakness.
The value of data is making every business, and individual, a potential target of cyber crime –organisations must take every possible step to minimise their risk of compromise. Would your organisation be able to prove that it had taken all measures to protect personal data held?
What about obligations at End of Life? What does GDPR mean for Data Controllers then?
When it comes to redundant or legacy equipment, Data controllers may only appoint a data processor that provides “sufficient guarantees” that it will implement appropriate measures to ensure their processing meets all GDPR requirements, and Data Processors are required to process personal data in accordance with the controller’s specific instructions.
Data processor activities must also be governed by a contract with regard to the controller – so the days of choosing a data processor for any reason other than stringent compliance and audit – are over. The obligations on the processor must cover the duration, nature and purpose of the processing, the types of data processed and the obligations and rights of the controller.
There are a number of more specific requirements including that the personal data is processed only on documented instructions from the controller also, as well as requirements to assist the controller in complying with some of its obligations.
Where can you get more information?
There are lots of companies that are offering to help prepare for GDPR and EOL can certainly guide and assist you when it comes to the IT Asset Disposal and data security requirements of the GDPR – we’re happy to help – contact us today on 0845 600 4696.
For more general information on the regulation in its entirety, you could visit the UK’s Information Commissioner’s Office which has an entire section of its website giving advice and information or alternatively the European Union’s GDPR website which also gives some very good advice.