Understanding GDPR the General Data Protection Regulation will be critical for almost every business in the United Kingdom. On 25th May 2018 GDPR will become a requirement and any business that has not taken action to implement it may find itself subject to fines of 40% of its global turnover or €20 million whichever is greater. The ICO states that “it is not about fines or penalties, but about being compliant”, but for those who flout the regulations the fines will become a stick with which to beat them.
That’s why we created Understanding GDPR; sure there are some direct quotes from GDPR, but in the main these are discussed and explained with examples or diagrams.
We cover the 5 key Concepts that form the cornerstones of GDPR:
With less than a year to go before GDPR processes and procedures need to be embedded within your companies day to day activities, it would be wise to get started right away. At Watchman IT Security we have spent months getting to grips with the “Articles” and completing our own compliance requirements.
As soon as we had completed our own compliance we analyzed the process and what we had learnt before making the process repeatable across a wide range of businesses. Our guide covers the best place to start and how to move forwards with implementing GDPR in your business. Because of this we know, and understand GDPR and how to become compliant.
Don’t waste any time, depending on the amount and variety of data sources you have the process could take months to complete. Complete the form below and we will email you a link to “Understanding the General Data Protection Regulation” a PDF document to get you started on GDPR.
Direct Quote from the ICO Website:
This overview highlights the key themes of the General Data Protection Regulation (GDPR) to help organisations understand the new legal framework in the EU. It explains the similarities with the existing UK Data Protection Act 1998 (DPA), and describes some of the new and different requirements. It is for those who have day-to-day responsibility for data protection.
This is a living document and we are working to expand it in key areas. It includes links to relevant sections of the GDPR itself, to other ICO guidance and to guidance produced by the EU’s Article 29 Working Party. The Working Party includes representatives of the data protection authorities from each EU member state, and the ICO is the UK’s representative.
The GDPR will apply in the UK from 25 May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.
The ICO is committed to assisting businesses and public bodies to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond. We acknowledge that there may still be questions about how the GDPR would apply in the UK on leaving the EU, but this should not distract from the important task of compliance with the GDPR.
- With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations, and to individuals. The ICO’s role has always involved working closely with regulators in other countries, and that will continue to be the case. Having clear laws with safeguards in place is more important than ever given the growing digital economy, and we will work with government to stay at the centre of these conversations about the long term future of UK data protection law and to provide our advice and counsel where appropriate.
- The GDPR applies to ‘controllers’ and ‘processors’. The definitions are broadly the same as under the DPA – ie the controller says how and why personal data is processed and the processor acts on the controller’s behalf. If you are currently subject to the DPA, it is likely that you will also be subject to the GDPR.If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have significantly more legal liability if you are responsible for a breach. These obligations for processors are a new requirement under the GDPR.However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
- The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
- The GDPR does not apply to certain activities including processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal/household activities.
Like the DPA, the GDPR applies to ‘personal data’. However, the GDPR’s definition is more detailed and makes it clear that information such as an online identifier – eg an IP address – can be personal data. The more expansive definition provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people.
For most organisations, keeping HR records, customer lists, or contact details etc, the change to the definition should make little practical difference. You can assume that if you hold information that falls within the scope of the DPA, it will also fall within the scope of the GDPR.
The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This is wider than the DPA’s definition and could include chronologically ordered sets of manual records containing personal data.
Personal data that has been pseudonymised – eg key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.
Sensitive personal data
The GDPR refers to sensitive personal data as “special categories of personal data” (see Article 9). These categories are broadly the same as those in the DPA, but there are some minor changes.
For example, the special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual.
Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing (see Article 10).
Understanding GDPR – What if you need help?
That’s why we are here? Of course we can assist you understanding GDPR, or even take over the whole GDPR compliance process from beginning to end.
There are obviously some critical data gathering steps we need to perform to ensure that your documentation and processes are not only correct but also practical on a day to day basis.
GDPR is not just a tick box exercise, on the contrary, your business will be required to live, breath and work with GDPR in every step of your business.
Knowing where data is at any particular moment is important, being able to meet the requirements of GDPR for any particular request is no easy thing.
There is a lot about understanding GDPR that is clear and plain, but preparing for GDPR means a lot more than obtaining a basic understanding. Getting ready for GDPR involves a company creating policies, procedures and other supporting documentation from risk assessments.
We can provide training to help companies prepare for GDPR and ensure that the staff have a full understanding of the responsibilities they have as employees as well as the consequences for failing.
The course entitled “Getting ready for GDPR” is scheduled over 3 hours and is charged at £75 per person. Discounts are available for none profit organisations.
So you have data that includes client information and a client requests their data be remove under their right to be forgotten.
Question: How are you going to deal with removing their data from your existing backups?
If you were to restore their data from a backup and as a result contact the client after their request to be forgotten, you would be in serious trouble. How are you going to achieve compliance?
It was a challenge we faced ourselves and we have a simple solution, because simple really is the best.
GDPR and Security Assessments
There is a movement among IT Security Consultants that says having security assessment will enhance your ability to resist a breach and as a result comply with GDPR under the need to protect client information.
The ability to build layers of security and encryption within the routine of your daily business alongside IT security policies and written policies, staff procedures that help the section of GDPR that requires security by design.
In fact when we analysed our own data and security we identified some processes that we could improve saving us time and money. One of the other results was that we found we could reduce the amount of data that we were holding and as a result our backups are smaller, quicker and require less data storage space.
Together all of the changes have simplified the daily procedures, data processing and lowered our overheads.
These were unexpected benefits that we are able to carry forward, many of these changes can be replicated in other businesses. After all, once you notice certain patterns you start looking for them in other places. When we first visited new client businesses who are looking to become compliant in GDPR North Wales, our own experience enabled us to apply extensive knowledge of GDPR, business types and IT Security in such a way that we could easily improve, document and protect the business with the newly created procedures. Call us about “Understanding GDPR” today.
Contact us for more information:
Understanding GDPR North Wales
with Watchman IT Security – Keep your W.I.T.S. about you.