A new regulation relating to data that can be used to identify an individual comes into force in May next year. All customer organisations need to be aware of the rules or risk huge penalties. In this special feature, we look at the essentials of GDPR and help our clients and friends address the challenges.
General Data Protection Regulation (GDPR) is coming and it can’t be avoided or ignored. After 25 May 2018 organisations that don’t know what personal data they hold, or don’t do enough to protect it, face potential fines of up to 4% of their turnover, or €20 million.
Many businesses have very little understanding about what GDPR is, what it means and what is required. After May 25th, 2018 businesses will need to show that they know what information they’ve got and are protecting data sufficiently.
Under GDPR, the regulator as well as individual citizens will be entitled to ask organisations what information is being held – and every business or organisation will be expected to respond swiftly and appropriately. One major concern, especially for large organisations, public-sector departments and county councils is that come 25 May 2018, there will be thousands of requests being made by members of the public. In security circles, this is being referred to as “Denial of Service Week” because it is believed that some organisations will be totally swamped by requests, to which they will have to respond within a set period.’
While this may throw up major challenges especially during that first week and possibly stretching into several weeks, it is up to every business and organisation to be prepared for GDPR and take action to ensure they meet its requirements.
Organisations with 250 employees or more must appoint a Data Protection Officer (DPO) who is responsible for ensuring that personal data is collected and secured responsibly. Businesses with 250 staff will also need to adhere to GDPR if any of the data they hold or process could lead to the rights and freedoms of individuals being put at risk. This basically means if the data could be used to identify them, such as a PPS number, a person’s bank account details and home address. This is information that’s stored in any payroll system.
As businesses start the discovery process locating and correctly cataloguing the client and customer data they have on file, it also affords them the opportunity to gain a better insight into their own business and their customers. GDPR also presents opportunity for the vendors of business analytics and data mapping solutions.
Once discovered, data needs to be classified and secured once again creating opportunity for vendors who provide encryption and secure cloud storage solutions. It is however your responsibility to ensure that whatever solution you use has good all-round security backed up by your own appropriate digital security policy.
No matter what solution you use, be it advanced encryption tools or a simple spreadsheet, it is by researching and following best practices that will ensure your are GDPR compliant. A lot of the leaks you hear about are down to best practice not being followed anyway. With the additional threats of ransomware and other malware phishing menaces now very apparent, it is by applying best practices across your business or organisation that will likely save you from any future threats. In fact, in a piece we published on our blog, earlier this year we highlighted that “Common bad practices are your biggest threat”. In other words, not following best practices.
The General Data Protection Regulation (Regulation EU 2016/679) is a regulation by which the European Parliament, the European Council and the European Commission intend to strengthen and unify data protection for all individuals within the EU. Published on 27 April 2016, it will come into effect on 25 May 2018 and immediately replace the UK Data Protection Act 1998.
GDPR dictates how businesses, governments and public sector collects, uses and shares data on EU residents. It means that all companies that have data on EU residents must build data protection into their infrastructure or risk severe penalties.
Under the GDPR it is not just passwords, pin numbers or dates of birth that companies and other organisations will be legally obliged to protect and treat ethically. Anything that could be construed as ‘personal data’, must be protected. This also includes PPS numbers, IP addresses, email addresses, as well as any and all details on physical characteristics such as age, race, physical attributes, or gender.
There are two main reason why the current data protection regulations are being replaced with GDPR. Firstly, it is out of date and pre dates data rich platforms such as Facebook, Twitter, Snapchat etc.
Secondly, the penalties for beaches of the current regulations are simply too low. It is known that some companies include fines for illegal direct marketing campaigns as part of their budget. That will not be possible under the new legislation, with fines of up to 4% of turnover or €20 million, whichever is greater. Research has also shown that serious data breaches negatively affect consumer and investor confidence, and can hit share prices hard.
Under the GDPR many companies will be required to appoint a Data Protection Officer (DPO) to oversee how consumer data is collected, stored and disposed of.
For small companies which do not collect much consumer data this may be someone who takes on the role overall responsibilities in the company.
For consumer-facing companies which collect a lot of consumer data, the role will likely have to be a dedicated position.
The role will not be a middle-management appointment either – under the GDPR, the DPO must report only to the CEO of the organisation. It is permissible to appoint a third-party consultant as your DPO.
Most Irish companies are aware that the GDPR is coming, but simply aren’t prepared.
A recent survey conducted by the Irish Independent found that just 6pc of those questioned said their GDPR plans were at an advanced phase.
Reading articles like this or the many hundreds available online is a good starting point to get your head around GDPR. It is recommended you visit the website of the Data Protection Commissioner where you will find plenty of information including the very useful “GDPR and You”
You may need to have to look at an organisational overhaul, in how your company treats consumer data, which will need to be addressed on an ongoing basis.
Even small businesses should appoint someone either a qualified member of staff or outside consultant – to oversee the process, and to begin implementing some of the more straightforward practices, including amending consumer privacy statements.
You must finally begin the process of training staff to understand compliance with this legislation and ensure every member of staff than handles or has access to data is actively implementing it.
You can view the EU’s guidelines and get more information on GDPR at www.eugdpr.org