GDPR stands for General Data Protection Regulations.
GDPR is the new European legal framework for the protection of personal data. The key point is that it’s a regulation. Our current law, the Data Protection Act, comes from a European directive. When that directive was implemented it was left to each member state to interpret and implement it into local law, so we ended up with a mishmash of data protection laws across Europe, making us a difficult continent to do business with. The GDPR is an expansion of existing principles, but there are some updates. First, there’s the Right to Be Forgotten. If people no longer want you to keep their data, they can ask for it to be deleted. There’s a Right to Data Portability; so if people are changing service provider they can ask for data to be uploaded in a certain format and it be transferred over. This is something that didn’t exist before.
There are various misconceptions around this, but there’s now a requirement to get explicit consent if you process any sensitive personal data. Also, Breach Notification Standards, in terms of security measures, have been enhanced. If you’re a data processor you have to notify your data controller if you become aware of a breach, without undue delay.
GDPR must be implemented by the 25th May 2018 – it’s a Legal requirement
Some of the terminology used;
A data controller is the party that collects the data and is responsible for how it is processed and used.
A data processor stores the data on behalf of the data controller. For instance, most hosted services such as Microsoft Azure, is a data processor because it hosts its customers’ data.
What will it mean for your business?
As technology changes, the methods used by attackers to steal data evolves. Therefore, advice and methods that companies relied on even five years ago no longer provide adequate defence. For example, the GDPR specifically mentions that data should be encrypted at rest (i.e. stored on your network) and not just when moved off network onto mobile devices or through the internet.
- Does your business collect information from clients to store on your IT system? – Names, addresses, Cookies, IP addresses, credit card details, personal data etc. GDPR makes it clear that your business needs to map out what data is collected, where it’s stored and who uses it.
- Mobile devices – are you using encryption software to safeguard your business data? Does your email have the facility to ‘remote wipe’ business emails from an employee’s mobile device or phone?
- Data Breach – If your business has a data breach i.e. data is lost in a cyber-attack, from May 2018 you could face huge fines. The ICO (Information Commissioner’s Office) has never issued a fine under the Data Protection act greater than £400,000 but under GDPR, this could increase to 4% of annual global turnover or up to 20 Million euros.
- What about your business Photocopiers/MFP’s? – All networked devices, including printers, are in the firing line of increasingly sophisticated and aggressive cybercriminal activity. They also, by their very nature, handle large quantities of sensitive, personal data that should not be shared without expressed permission. And yet most enterprises fail to incorporate MFPs into their overall data protection strategy. Other points are; How is data encrypted on printer hard drives? How secure are printers are from network intrusion? How secure and confidential is users printing? How secure is private scanned data?
- Memory Sticks/Portable Hard Drives? – Can users just plug a USB drive into a computer and copy information from the network? Do you have I.T. policies in place to prevent this?
- What about Brexit? – In or out of the E.U., your business will still have to adhere to a version of GDPR whether its U.K. regulations or E.U. regulations.
For more information or assistance with readying your business for GDPR get in touch to organise a consultation.