In this article we aim to explain what GDPR is and how it effects you, along with some useful web links.
On 25 May 2018, the General Data Protection Regulation (GDPR) will be enforced across Europe, including the UK.
It’s important to state that the GDPR will apply to any business that processes the personal data of EU citizens which means that it could also apply to companies based outside of the EU.
Many of the GDPR’s main concepts and principles are much the same as
those in the current Data Protection Act (DPA), so if you are complying
properly with the current law then most of your approach to compliance
will remain valid under the GDPR and can be the starting point to build
from. However, there are new elements and significant enhancements, so
you will have to do some things for the first time and some things
How does this effect you as an individual ?
Under the new rules, individuals have “the right to be forgotten”, meaning they will be able to request that businesses delete their no longer necessary or accurate personal data. As well as the right to be forgotten, the law holds provisions that could potentially increase consumers’ rights over their data.
How does this effect you as a business, be it a large company or a sole trader ?
This change of data protection laws is all well and good for individuals, but it could mean huge fines for businesses that don’t comply with the laws. You need to work out how to give it back to them (the individual) and how to ensure it is stored adequately and then deleted securely. Companies already successfully abiding by the 1995 legislation will probably be covered, but it is best to check first.
- Know what you have, and why you have it
- Manage data in a structured way
- Know who is responsible for it
- Encrypt what you wouldn’t want to be disclosed
- Design a security aware culture
- Be prepared – expect the best but prepare for the worst
GDPR checklist for UK small businesses
Remember, your checklist needs to take into account past and present employees and suppliers as well as customers (and anyone else’s data you’re getting hold of, storing and using).
- Know your data. You’ll need to demonstrate an understanding of the types of personal data (for example name, address, email, bank details, photos, IP addresses) and sensitive (or special category) data (for example health details or religious views) you hold, where they’re coming from, where they’re going and how you’re using that data.
- Identify whether you’re relying on consent to process personal data. If you are (for example, as part of your marketing), these activities will become more difficult under the GDPR because the consent needs to be clear, specific and explicit. For this reason, you should avoid relying on consent unless absolutely necessary.
- Look hard at your security measures and policies. You’ll need to update these to be GDPR-compliant, and if you don’t currently have any, get them in place. Broad use of encryption could be a good way to reduce the likelihood of a big penalty in the event of a breach.
- Prepare to meet access requests within a one-month timeframe. Subject Access Rights are changing, and under the GDPR, citizens have the right to access all of their personal data, rectify anything that’s inaccurate and object to processing in certain circumstances, or completely erase all of their personal data that you may hold. Each request carries a timeframe and deadline of one month (which can only be extended in mitigating circumstances), from the original date of request.
- Train your employees, and report a serious breach within 72 hours. Ensure your employees understand what constitutes a personal data breach and build processes to pick up any red flags. It’s also important that everybody involved in your business is aware of a need to report any mistakes to the DPO or the person or team responsible for data protection compliance, as this is the most common cause of a data breach.
- Conduct due-diligence on your supply chain. You should ensure that all suppliers and contractors are GDPR-compliant to avoid being impacted by any breaches and consequent penalties. You’ll also need to ensure you have the right contract terms in place with suppliers (which puts important obligations on them, such as the need to notify you promptly if they have a data breach). See ‘How can I check my suppliers are GDPR-compliant?’ further down.
- Create fair processing notices. Under GDPR, you’re required to describe to individuals what you’re doing with their personal data. See ‘Fair processing notices’ below for more information.
- Decide whether you need to employ a Data Protection Officer (DPO). Most small businesses will be exempt. However, if your company’s core activities involve ‘regular or systematic’ monitoring of data subjects on a large scale, or which involve processing large volumes of ‘special category data’ (see ‘Is my data sensitive?’ below) you must employ a Data Protection Officer (DPO).
The above 8 points have been taken from www.simplybusiness.co.uk
What are “Controllers” and “Processors” ?
The GDPR regulations applies to ‘controllers’ and ‘processors’.
A controller determines the purposes and means of processing personal data.
A processor is responsible for processing personal data on behalf of a controller.
For example, a bank (would be a controller) collects the data of its clients when they open an account, but it is another organisation (the processor) that stores, digitizes, and catalogs all the information produced on paper by the bank. These companies can be data centers or document management companies. Both organisations (controller and processor) are responsible for handling the personal data of these customers.
12 steps to GDPR – https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
GDPR self assessment guide – https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/
GDPR The Good, The Bad and The Ugly – https://www.tripwire.com/state-of-security/security-awareness/gdpr-the-good-the-bad-and-the-ugly/
Key points of GDPR – https://www.retailstore.co.uk/gdpr-a-simplified-guide/
GDPR guide for small business – https://www.simplybusiness.co.uk/knowledge/articles/2017/11/what-is-gdpr-for-small-business/
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.