What is the GDPR?
The EU General Data Protection Regulation, or GDPR as it’s more commonly known, comes into effect on May 25th, 2018.
The GDPR replaces the Data Protection Act 1998 and was designed to harmonise data protection laws across Europe to secure all EU subjects’ personal data and to reshape the way organisations across the region approach data protection.
Consideration has been given to new technologies, business processes and data usage that have become part of the digital economy in recent years.
If you process personal data that belongs to EU subjects, then the new legislation affects you regardless of your geographic location. Managing data correctly is the responsibility of data controllers and data processors.
Under the new rules, responsibility and liability for data protection issues are assumed at board-level.
6 GDPR myths busted
1 – My business is an SME – this new regulation does not apply to us.
2 – GDPR is all about security – if I have robust security and encryption I will be compliant.
3 – The ICO won’t impose large fines – we are less likely to receive a large fine and more likely to get a warning.
4 – I have great EU customers – but my business is located outside Europe so GDPR does not apply to us.
5 – GDPR doesn’t take effect until May – my organisation has plenty time to achieve compliance.
6 – I am only a data processor – the General Data Protection Regualtions (and the big fines) only apply to data controllers.
6 benefits of GDPR compliance
1 – Reduce reputational risks
No organisation wants to be in a position where its data breach is the subject of a newspaper headline. Having your reputation sullied is bad for business. If you are compliant with the new data protection legislation, you are reducing the risk of reputational damage and protecting your organisation.
2 – Reduce financial risks
The financial risks of a data breach are far-reaching. Large fines, compensation, lost revenue and long-term reputational damage are just some of the ways data breaches as a result of noncompliance will impact organisational finances.
3 – Organise your data
Compliance with the legislation means you will have to clearly identify and manage personal data you hold. This type of data organisation carries potential advantages that include streamlining data-related processes, efficient data management and potential long-term reduction of data management costs.
4 – Build trust
Trust is the backbone of every transaction and as more business is conducted online, it is important to take data protection seriously. Having a GDPR-first approach will offer reassurance to clients and partners.
5 – Reduce chaos
Organisations who have put in timely measures and controls to comply with the legislation will be able to avoid the chaos and business disruption that could ensue through either a data breach which is not managed correctly or a last-minute realisation that the legislation is now fully in force.
6 – Peace of mind
Knowing that your organisation is legally compliant and that you are therefore reducing risks of reputational damage, fines, identity theft and credit card fraud amongst others is a huge benefit to any organisation and allows efforts to be focused on protecting and growing the business.
6 principles of GDPR
Cybersecurity & GDPR
Cybersecurity and data protection are tightly integrated
Data security and data privacy are closely linked. Privacy depends on security. No obligation to provide privacy will be meaningful if the data to be protected is accessed or stolen by unauthorised third parties.
Encryption – at rest and in transit
Data should be encrypted wherever it is stored and/or transmitted. This includes data held on mobile devices, servers, PCs or the cloud as well as information transmitted to remote systems.
Technical measures are generally managed by the IT department and include but are not restricted to Anti-Virus, email security, firewall installation, Password management tools, identity management, intrusion detection and data loss prevention.
Information security framework
Implementing an information security framework such as ISO 27001 or IASME will greatly assist with GDPR compliance and demonstrate good data protection principles.
Organisational measures include policies, processes, training and access limitations.
Ignore at your peril
GDPR is happening and it’s going to affect you. We strongly advise working towards compliance in a structured manner sooner rather than later.
Privacy by design
Data Protection Impact Assessment (DPIA)
DPIAs help organisations to identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy.
Limit who sees data
Role-based access controls to ensure only those individuals with a need to see data can.
Limit data collection
The GDPR contains explicit provisions about documenting your processing activities. You must maintain records on several things such as processing purposes, data sharing and retention. Records must be kept in writing.
Check you are ensuring the ongoing confidentiality, integrity and availability of your information.