Wednesday, 26 April 2017

6 things you need to know about GDPR

The General Data Protection Regulation (GDPR) is set to come into effect from 25 May 2018. UK businesses need to be ready or face severe consequences.

In November 2016, Tesco Bank fell victim to a cyber attack in which £2.5 million was stolen from the current accounts of 20,000 customers. If the Information Commissioner’s Office (ICO) finds Tesco failed to comply with measures to keep people’s personal data secure, they could face a fine up to £500,000. Under the new regulations set out in the EU GDPR, the same fine could be set at £1.9 billion.

After May 2018, businesses failing this new strict data protection compliance regime will face severe penalties of up to 4% of worldwide turnover. The GDPR means significant changes for all businesses that use or store the personal data of EU citizens.  
“When it comes to data security, the silent spectre of EU General Data Protection Regulation is slowly kicking organisations into action, and incidents such as this will only accelerate this trend” - Nigel Hawthorn, the Chief European spokesperson at Skyhigh Networks.

In this blog we’ll look at 6 things you need to know about GDPR in order to prepare for its implementation in 2018. 

1.  Understand who GDPR applies to


Regardless of your business’s location, if you’re handling the data of European citizens then GDPR applies to you. Companies across the globe will be held to the exact same security standards.

This gives the European data protection authority the power to take action against any organisation breaching these regulations, regardless of geographic location.

Driven by the huge fines businesses face - if they fail to meet the protection requirements - 70% of businesses are now expected to increase spending to address data protection and sovereignty, according to Ovum

2.  Understand what counts as personal data


GDPR will widen the definition of what constitutes personal data. The Data Protection Act 1998 (DPA) failed to recognise genetic and biometric information as personal data, while the GDPR does.

Under the EU GDPR, personal data will be defined as:
“Data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation”.

This broad definition means almost all customer information now falls under the category of ‘personal data’. Your business must comprehend the significant changes in the incoming regulation, securing any and all data to avoid severe punishment. 


3.  Review your business’s Terms & Conditions


The GDPR regulation introduces new guidelines stressing the need for explicit individual consent before using a citizen’s data. Businesses will need to use simpler language when asking for consent, be clear on how the data will be used and understand that inactivity does not constitute consent. Lengthy and complicated terms and conditions which lack clarity will no longer be tolerated.

EU citizens will also have greater influence over what happens to their data. Including data erasure (commonly known as ‘the right to be forgotten’) and data portability (transmitting data to another controller).

GDPR also introduces the data minimisation principle, requiring organisations not to hold data for any longer than absolutely necessary. This law also prevents businesses from changing the use of data from what it was originally collected for – unless they request permission. 

4.  You’ll need to conduct Privacy Impact Assessments


The GDPR introduces the need for Privacy Impact Assessments (PIAs) for any project where privacy breach risks are high.

Your business can no longer begin projects involving personal information, unless a privacy risk assessment has been conducted first. Your business must also work closely with a Data Protection Officer to ensure compliance throughout all projects.

Your organisation must integrate security into the core of all projects, rather than it being a simple consideration.

5. You may need a Data Protection Officer


The EU GDPR removes the notion that regulations should relate to an organisation’s size or the number of employees. 

If your organisation fits any of the three scenarios below – outlined in article 37 -  it’s mandatory that you appoint a Data Protection Officer (DPO). The core activities of the organisation involve:

  • the processing of personal data by a public authority
  • “regular and systematic monitoring of data subjects on a large scale”
  • large-scale processing of special data—for example, biometric, genetic, geo-location,

The role of the DPO is to monitor organisational compliance to the regulations and report all and any findings to the highest management level. A study by the International Association of Privacy Professionals (IAPP) suggests that 75,000 DPOs will have to be appointed globally in the next two years.

This same study shows that staffing requirements are likely to present a big challenge to organisations that don’t hire or develop the skills quickly.

Firebrand offer the Certified Data Protection Officer certification designed for those with at least two years of experience in data protection. Sitting this 3-day course will build the skills and knowledge required to fulfill the role of DPO to maintain compliance against the EU GDPR.    

6.  Reporting a breach – constant monitoring required


In addition to outlining how your businesses should secure their data, the GDPR also has strict regulations on how your business must respond in the event of a data breach.

This includes the common breach notification requirement, combining all breach notification laws across Europe under one definition, providing clarity on how your business reports a data breach. This notification law “requires organisations to notify the local data protection authority of a data breach within 72 hours of discovering it”.

Considering Yahoo stumbled across one of the largest security breaches in history two years after it occurred, this law forces even the largest organisations to be more proactive in identifying and reporting incidents.  If GDPR applies to your organisation, you’ll need to put in place tools and processes to monitor and create alerts in the event of an incident 24/7/365. 


Time is running out...

You have just 12 months to prepare for the incoming GDPR. As outlined above, there must be significant changes to the way your business collects, handles, secures and shares data in May 2018 and beyond. 

Once these regulations are introduced, your organisation won't get away with a minor fine for mishandling sensitive information. Failure to prepare will lead to severe - inf not business ending - financial consequences. Don't get caught out, start your GDPR readiness journey today.