Case Studies

GDPR – what it means for businesses, and how we can help

eu-3222692_1400x875_acf_cropped

GDPR – what it means for businesses, and how we can help

You’ve probably heard about the GDPR (General Data Protection Regulation) – it’s been difficult not to – but what does the GDPR really mean for your business? What are the implications? How daunting is it really? And what will you need to do to ensure that you don’t fall foul of the new regulations?

The first key thing to remember is not to panic. Whilst there have been a lot of scare stories about the GDPR, it really isn’t as bad as it first sounds.

So, what is the GDPR?

The GDPR comes into force on 25 May 2018 and aims to harmonise data privacy laws across Europe. Whilst some people may have us believe that it’s all about catching organisations out and punishing them, it really isn’t about making life difficult for organisations or putting them out of business. It is being introduced to make it easier for companies to do business across the EU, and to hand control of personal data back to individuals – it’s about protecting and enforcing the rights of individuals whose data is being gathered as part of their daily transactions.

The GDPR will replace the 1995 Data Protection Directive (Directive 95/46/EC), and its main concepts and principles are very similar to the Data Protection Act (DPA). If you’re already complying with the DPA (i.e. you are making all reasonable efforts to protect people’s data) then you’re well on your way towards complying with the GDPR (although there are some additional elements to the GDPR that need to be taken into account).

What is ‘personal data’?

Under the GDPR, ‘personal data’ is anything that relates to an identifiable, living person, which can be used to identify an individual. This could anything from the more obvious types of personal data, such as name, contact details, bank card numbers, etc. to other less tangible information such as location, shopping habits, online identifiers (e.g. IP address, cookies), physical characteristics, etc.

Why are the current data protection laws being replaced?

The ever-increasing digitisation of our communication and transactions means that we frequently hand over our personal data when we search or shop online, use social media and fill out online forms, for example. And because our online activities are trackable, we are leaving a footprint wherever we go online.

Data is becoming big business. Vast quantities of data are held about individuals and this can be used to assess trends or define behaviour characteristics (‘big data’), which can be very valuable to organisations and can benefit individuals by tailoring online results our marketing to our needs, for example. However, people who are intent on getting hold of personal data through fraudulent means and for fraudulent purposes are developing ever more ingenious ways to achieve this. Whilst most of us are careful about not submitting our details to untrusted sources, we can never be 100% sure that our data is safe. Some risks include:

  • data harvesting (script that is used to automatically extract large amounts of data from websites in order to use it for other purposes);
  • cybertheft and hacking (the stealing of personal information);
  • the selling on of data without the data subject’s permission (trustworthy websites will state clearly that personal data will not be passed on to third parties and will adhere to this);
  • phishing (fraudulent emails intended to convince people to hand over their personal information).

The existing data protection regulations are no longer sufficiently robust to protect individuals, which is why the GDPR is being introduced.

Does Brexit mean that companies in the UK won’t be expected to comply by the GDPR?

No. Despite the UK’s withdrawal from the European Union, the GDPR will be brought into UK law although some amendments will probably be made to the overall framework.

How to take action

Companies that don’t comply with the GDPR could face heavy fines, so it is important to ensure that you’ve taken the necessary steps to comply. What this actually means in practice depends on your business activities, your data subjects (B2B or B2C) and the extent to which you store personal data. However, some general advice is applicable to all:

  • Get to grips with the GDPR. Key people and decision-makers in your organisation need to be aware of the implications of the new regulations.
  • Clarify who has responsibility for your data and how it will be managed. If you handle personal data, you will need to appoint a data protection officer to monitor its use and storage and ensure compliance with the GDPR. A data controller should oversee the activities of the data processor, who should be provided with a written procedure for managing data under the new regulations. Processing data in the cloud adds another layer to data handling (sub-processors), and this contract should be managed by the data processor.
  • Understand your data.
    • Carry out audits of the data you hold, where it came from and what it is used for.
    • Cleanse your data to remove duplicates or inaccuracies (take this opportunity to consider deleting data that is no longer required – data should only be stored for as long as it is really needed).
    • If you can’t demonstrate consent from data subjects but want to continue contacting them, you will have to re-permission them (taking care to ensure you don’t contact people who have already opted out).
    • Identify any high impact data.
  • Review your privacy policies and update them in line with the GDPR.
  • Focus on consent. Data subjects must give consent for their information to be used. This consent must be freely-given and only the information specifically required for the purposes of the transaction may be collected. It needs to be obvious to data subjects, at the point of data collection, what their personal information will be used for, and you will need to be able to demonstrate how consent was gained, and when. It is no longer sufficient to include data subjects in marketing communications unless they explicitly consented to receiving updates from you when they submitted their email address.
  • Articulate processes for handling requests from data subjects. Procedures need to be in place for handling requests from individuals to view the personal data that is held about them, or to be deleted from your databases.
  • Have a plan in place in case of data breaches. How will they be reported and investigated?

How can we help you with GDPR?

We know everything there is to know about securing the data you hold as part of your business activities. We are specialists in cyber and data security and, as a provider of cloud services, we count as a data processor and are dedicated to ensuring the safety of the information you choose to store in the cloud. We can test your security procedures and advise you how to ensure that the data you hold is secure and that you are complying with the GDPR.

The Information Commissioner’s Office (ICO) has produced a useful guide to the GDPR, if you want to find out more. Or simply get in touch so we can discuss your data security requirements with you.

Our Partners