On the 25th May 2018, the General Data Protection Regulation (GDPR) will replace the data protection act. Designed to strengthen the protection of EU citizens, GDPR is effectively a ready-made privacy law developed to unify legislation across the different European countries. To strengthen the protection of EU citizens, GDPR is effectively a ready-made privacy law developed to unify legislation across the different European countries.
That said, GDPR is a global issue; anyone that is controlling or processing the data of EU citizens needs to comply with the regulations. Despite Brexit, the UK will be going ahead and adopting the new regulation. Put simply, GDPR ensures that individuals can control how their personal data is used and reshape the way organisations approach data privacy. And by personal data we don’t just mean names and email addresses. GDPR covers any data that can identify a person online, such as an IP address.
What are the requirements?
The regulation is a massive 130-page document, but the key principles can be found in article five. They focus on the lawful, fair and transparent management of data, including:
- Clear user consent – GDPR is much more demanding than the data protection act about being explicit, transparent and unambiguous – the user can be in no doubt about what information they’re giving and how it will be processed. For example, if an insurance company decides that it wants to use customers’ email addresses to track activity on social media to inform premiums, with GDPR this activity will need to be shared with those customers.
- The legal processing of data – lots of organisations have been creating huge data lakes and then working out how they’re going to process them. GDPR requires you to be upfront and know how you’re going to process the data before you start collecting it.
- Transparent contracts – customers will need to have the ability to approve sub-contracting around data processing.
- Mandatory data breach notification – in the event of a data breach, businesses will be obliged to inform the ICO without delay and at most within 72 hours of being aware of it. This may leave companies in a delicate balance between notifying quickly vs notifying when they have all the information to hand.
- The right for consumers to see, amend and delete data – subject access rights will give consumers the power to see all the personal data that a company holds on them and demand that this information is corrected or deleted. The responsibility is on the company to make this process as easy as possible. Given the sheer volume of information some companies hold this may be tricky. Organisations will have one month from receiving the subject access request to completing it and not doing this will be deemed a major breach incurring a large fine.
- Demonstrating data privacy from day one – businesses will need to show that they’ve accounted for data protection by design and accountability. For new systems this means showing that data privacy has been considered right through from design to implementation.
It’s a business and an IT issue
With less than one year to go until GDPR comes into effect, it’s important that you start the journey and understand how the regulation will affect you. Assessing the impact, getting the board to agree, understanding the specific IT requirements and then rolling out any new tools and systems takes time and careful planning.
Rather than considering GDPR to be the responsibility of one business area, departments across an organisation will need to work together to ensure they’re ready. The business needs to provide IT with clear direction on the approach, risk, priority, ownership and governance of their data. But rather than just waiting to receive this information, IT departments should ask questions and start to predict the need now. Questions like who’s done the risk assessment? Have you assessed the impact and risk of fines? What IT requirements are being driven by GDPR?
Any business also needs to ensure that their IT department is prepared by knowing where personal data exists and how they plan to respond to a subject access request.
The motivation to invest
Currently a data breach can cost an organisation up to £500K but the fines for breaching GDPR regulations are huge. A minor breach will cost 2 per cent of the global annual revenue of the company or £10M, whatever is greater. A major data breach will incur a fine of 4 per cent of global annual revenue or £20M, whatever is greater.
However, rather than worrying about the potential implications of a breach, businesses should view GDPR as an opportunity to gain competitive advantage and as a catalyst for improvement in IT capabilities.
At SCC we’re trying to break down this daunting task into a set of phases to help businesses understand and plan the road to compliance. This includes delivering technology that automatically finds and tags personal data across your enterprise, and deploying tools that offer cyber and network security controls and detection suspicious activities.
For help at any stage of the journey, please get in touch by calling 0121 766 7000