You’ve probably heard about the GDPR (General Data Protection Regulation) – it’s been difficult not to – but what does the GDPR really mean for your business? What are the implications? How daunting is it really? And what will you need to do to ensure that you don’t fall foul of the new regulations?
The first key thing to remember is not to panic. Whilst there have been a lot of scare stories about the GDPR, it really isn’t as bad as it first sounds.
The GDPR comes into force on 25 May 2018 and aims to harmonise data privacy laws across Europe. Whilst some people may have us believe that it’s all about catching organisations out and punishing them, it really isn’t about making life difficult for organisations or putting them out of business. It is being introduced to make it easier for companies to do business across the EU, and to hand control of personal data back to individuals – it’s about protecting and enforcing the rights of individuals whose data is being gathered as part of their daily transactions.
The GDPR will replace the 1995 Data Protection Directive (Directive 95/46/EC), and its main concepts and principles are very similar to the Data Protection Act (DPA). If you’re already complying with the DPA (i.e. you are making all reasonable efforts to protect people’s data) then you’re well on your way towards complying with the GDPR (although there are some additional elements to the GDPR that need to be taken into account).
Under the GDPR, ‘personal data’ is anything that relates to an identifiable, living person, which can be used to identify an individual. This could anything from the more obvious types of personal data, such as name, contact details, bank card numbers, etc. to other less tangible information such as location, shopping habits, online identifiers (e.g. IP address, cookies), physical characteristics, etc.
The ever-increasing digitisation of our communication and transactions means that we frequently hand over our personal data when we search or shop online, use social media and fill out online forms, for example. And because our online activities are trackable, we are leaving a footprint wherever we go online.
Data is becoming big business. Vast quantities of data are held about individuals and this can be used to assess trends or define behaviour characteristics (‘big data’), which can be very valuable to organisations and can benefit individuals by tailoring online results our marketing to our needs, for example. However, people who are intent on getting hold of personal data through fraudulent means and for fraudulent purposes are developing ever more ingenious ways to achieve this. Whilst most of us are careful about not submitting our details to untrusted sources, we can never be 100% sure that our data is safe. Some risks include:
The existing data protection regulations are no longer sufficiently robust to protect individuals, which is why the GDPR is being introduced.
No. Despite the UK’s withdrawal from the European Union, the GDPR will be brought into UK law although some amendments will probably be made to the overall framework.
Companies that don’t comply with the GDPR could face heavy fines, so it is important to ensure that you’ve taken the necessary steps to comply. What this actually means in practice depends on your business activities, your data subjects (B2B or B2C) and the extent to which you store personal data. However, some general advice is applicable to all:
We know everything there is to know about securing the data you hold as part of your business activities. We are specialists in cyber and data security and, as a provider of cloud services, we count as a data processor and are dedicated to ensuring the safety of the information you choose to store in the cloud. We can test your security procedures and advise you how to ensure that the data you hold is secure and that you are complying with the GDPR.
The Information Commissioner’s Office (ICO) has produced a useful guide to the GDPR, if you want to find out more. Or simply get in touch so we can discuss your data security requirements with you.
10th October 2018
4th September 2018
25th August 2018
London office: 29 High Holborn
Bristol office: 18 Hotwell Road
Company Number 08257141. VAT GB 153 9386 82