Posted on: 20 Apr 17
General Data Protection Regulation, or GDPR, is a European law coming into effect on 25 May 2018. Although that may seem quite some time away, its implications are far reaching and businesses need to start thinking now about compliance.
GDPR will become law before the UK has left the European Union. It is widely believed that if the UK wishes to continue to trade smoothly with Europe, then many European laws will not only have to be adhered to but that the UK will adopt many of these laws in the short term.
The regulation provides a single set of data protection rules across Europe. According to the Information Commissioner’s Office “many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act (DPA), so if you are complying properly with the current law then most of your approach to compliance will remain valid under the GDPR and can be the starting point to build from. However, there are new elements and significant enhancements, so you will have to do some things for the first time and some things differently.”
A key goal of GDPR is to give individuals better control over the personal data that businesses hold on them. Personal data is any information that can be used to identify them directly or indirectly, including data such as usernames, IP addresses and cookies.
Businesses must be able to show when and how the data was collected and that it was for specific and legitimate purposes. If the data is no longer required for the purpose it was collected then it must be deleted. In addition, individuals have the right to be forgotten and can withdraw consent at any time.
Many businesses will have data linked to individuals. While it may be relatively easy to remove someone from a mailing list, if they wish to be forgotten are you able to remove them from your system without your database corrupting?
Companies are required to report any data breaches that lead to “the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.” Businesses need to ask who has access to data and can they be sure it is secure?
In comparison to the DPA, businesses that do not comply with this new regulation will be open to substantial fines up to ten million euros or two per cent of global gross turnover, whichever is the greater. This includes record‐keeping, security, breach notification violations and doubles for violations connected to lack of consent, data subject rights and cross‐border data transfers.
The UK Information Commissioner’s Office (ICO) has published Preparing for the General Data Protection Regulation (GDPR) – 12 Steps to Take Now, which can be downloaded from their web site.
Some of these steps for organisations are summarised next.
As a Microsoft Gold Partner, we recommend and manage a wide range of Microsoft services for our customers. Microsoft is highly experienced in supporting pan-European and international customers and is investing heavily in helping them achieve GDPR compliance.
Microsoft’s GDPR page highlights its goal “to streamline your compliance with the GDPR through smart technology, innovation, and collaboration. Microsoft products and services are available today to help you meet the GDPR requirements, and we are investing in additional features and functionality.”
GDPR will affect businesses in a wide ranges of ways depending on their size and activity, with B2C businesses perhaps coming under most pressure.
If you'd like a friendly chat about data security then contact me, Chris Joberns, on 01473 835 280.