What is the GDPR?
Currently the Data Protection Act 1998 is something businesses adhere to in relation to the security of their business and customer data. However, on 25th May 2018, the General Data Protection Regulation (GDPR) came in to play in the UK with the intention to strengthen and unify data protection across Europe. This new regulation supersedes the DPA 1998.
How is the GDPR different to the DPA?
The GDPR introduces tougher fines for non-compliance and breaches for all business sizes and gives customers more control over what businesses can do with their data. It also makes data protection consistent throughout the EU.
How does Brexit effect the GDPR?
Since the announcement of Brexit, nearly a quarter of all UK businesses surveyed claimed they had stopped preparing for the GDPR. Source: Information Age. However, post Brexit, it has been confirmed that the UK will still be adopting GDPR regardless of being in the EU. Source: Computer Weekly This means the 25% who have stopped preparing are at risk of non-conformance and potential fines come May 2018.
Previously, Talk Talk had a major data breach in the UK which cost them 400k, however under GDPR, this fine would of totalled £59 million. Source: Sophos
7 things to do in preparation for the GDPR
1: Raise awareness within your business about the GDPR
Ensure that all decision makers and key staff within the business are aware that the data protection law is about to change as of 25th May 2018. Compliance requirements in line with GDPR may be complicated depending on your current business setup, so it’s best to start investigating what is going to need changing and start preparing now. Depending on your business type, your clients may also ask what they need to do to prepare for the GDPR and require your advice, so it’s certainly worth increasing your knowledge.
2: Document all business data
In line with the GDPR requirements which require you to maintain records of your processing activities. You should start to document what personal data is held within the business, where it came from and who you plan to share it with. By having this documented, you will also comply with the GDPR’s accountability principle which requires businesses to demonstrate effective policies and procedures in place when it comes to data protection.
3: Data breaches
Once the GDPR is in place, certain types of data breaches relating to your business must be reported to the Information Commissioners Office (ICO). Some businesses, depending on business type will need to report all types of data breaches, so we recommend researching what applies to your specific business type in relation to a data breach.
For example; With the GDPR, if the data breach is likely to result in a risk to the rights and freedoms of individuals such as discrimination, damage to reputation, financial loss, loss of confidentiality and any other significant economic or social disadvantage, the ICO must be notified within 72 hours. Failure to do so will result in a significant fine.
We supply a range of products to help with the prevention of data breaches via endpoint protection. The WatchGuard Threat Detection and Response (TDR) correlates network and endpoint security events with threat intelligence to detect, prioritise and enable immediate action to stop Malware attacks.
4: Individual’s data rights are enhanced with the GDPR
The GDPR includes the following rights for individuals
- The right to be informed
- The right not to be subjected to automated decision making including profiling
- The right of access
- The right to object
- The right of rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
It’s a good time to put some procedures in place to answer the following questions that a customer may ask you regarding the data your business holds relating to them. They will soon have a right to this information free of charge.
- Can you tell me exactly what data you hold about me and why you need to hold it?
- Can you confirm I am opted out of any automated customer profiling activity?
- What protection does your company have in place regarding the details you hold about me and my company?
- If I cease working with your company, when and how do you delete the data in relation to me?
5: Customer consent when opting in
With the GDPR, customers need to consent to the use of their data. For example; email marketing opt ins or automatically opting in to additional add on services. Where as previously, businesses could pre tick a box somewhere in their literature and hope it wasn’t un-ticked, with the GDPR, opt ins must be freely given, specific, informed and unambiguous.
You also must ensure these data opt ins are separate from any other terms and conditions and you must put a process in place where customers can manage their consent by easily opting out of things at a later date.
A record of customer consent options must also be available.
6: Implement marketing leading solutions to help meet GDPR regulations
Microsoft has a wide range of business products specifically designed to comply with the new GDPR legislation such as;
Microsoft Azure – designed to safeguard your data in the cloud including the categories of personal data identified in the GDPR. It also allows you to effectively manage business data, manage user identities and credentials and determine different levels of access.
Microsoft Dynamics 365 – enables businesses to securely manage and control their data in the cloud, which also helps to reduce risk and achieve GDPR compliance.
Microsoft Enterprise Mobility + Security – this solution enables you to manage all types of business data across a wide variety of devices which can drastically reduce the risk of data breaches.
7: Appoint a Data Protection Officer
By May 2018 your business should have a dedicated person assigned as the Data Protection Officer (DPO) to manage data compliance in line with the GDPR. This individual will be fully responsible for the businesses data management.
Certain types of businesses will be required to formally designate a DPO eg, public authorities etc.
Make sure you plan for this and assign this responsibility to a person within your company who is most experienced. Eg; the person who is currently in charge of IT Security/Disaster recovery.
We have written other useful articles on this topic which you also may wish to read: The GDPR – what it means for UK businesses, New EU General Data Protection Regulation (GDPR), GDPR – what are the penalties for non-compliance?, and The Role of a GDPR Data Protection Officer.
Infinity Group are advanced IT Security specialists as well as Microsoft Gold Partners. If you are interested in finding out more about the GDPR or implementing any of the solutions suggested in this blog, please get in touch.