What is GDPR – The General Data Protection Regulation is an EU legal framework. Its purpose is to provide international consistency around data protection laws and rights. It is crucial both to businesses and to individuals allowing them to protect and share information across international borders.
Will the UK Adhere with GDPR?
On 24 October 2016, the Secretary of State for Culture, Media and Sport, Karen Bradley, gave oral evidence to a Select Committee affirming that the UK will implement the General Data Protection Regulation (the“GDPR”).
Who is GDPR applicable to?
GDPR is applicable to all organisations who store, process or transmit personally identifiable information. The GDPR applies to ‘Controllers’ and ‘Processors’, the Controller says how and why personal data is processed and the Processor acts on the controller’s behalf. A Data Controller is an individual, organisation or other corporate and unincorporated body/bodies of persons who (either alone, jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed. A Data Processor, in relation to personal data, means any individual, organisation or other corporate and unincorporated body/ bodies of persons (other than an employee of the data controller) who processes the data on behalf of the data controller.
What is Personally Identifiable Information?
The goal of GDPR is to protect Personally Identifiable Information (PII), this can be defined as:
• Personal data
The GDPR applies to ‘personal data’. However, the GDPRs definition is more detailed than the historic Data Protection Act (DPA) and makes it clear that information such as an online identifier – e.g. an IP address, can be personal data. The more expansive definition provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people. For most organisations, keeping HR records, customer lists, or contact details, the change to the definition should make little practical difference. You can assume that if you hold information that falls within the scope of the DPA, it will also fall within the scope of the GDPR.
• Sensitive personal data
The GDPR refers to sensitive personal data as ‘special categories of personal data’. and includes: race, ethnic origin, politics, religion, trade union membership, genetics, biometrics (where used for ID purposes), health, sex live or sexual orientation where processed to uniquely identify an individual.
Why Implement GDPR?
The GDPR will introduce significantly increased monetary penalties of up to 4% of worldwide annual turnover or a fine up to 20,000,000 EUR – whichever is greater. These sanctions can be brought against businesses acting as either Data Controller or Data Processor and will be enforced by the UK’s independent Supervisory Authority. In addition to sanctions, individuals will have the right to bring claims directly against the Controller or the Processor for breach of data protection law. Businesses based outside the European Economic Area (EEA) could also face sanctions and be subject to individual claims.
The impact described above can be summarised as follows:
✔ Financial impact associated with fines and investigations
✔ Financial impact associated with individual claims
✔ Reputational impact associated with data breach leading to loss of trust and business
What should organisations do to prepare for GDPR?
The controls associated with GDPR are broad and require you to implement adequate controls to protect. In addition to this, you are required to inform the local independent supervisory authority within 72 hours of any breach being identified. From a technical perspective, Matchless IT recommends the following actions are followed to ensure your personally identifiable information is best protected:
✔ Identify and understand what you are trying to protect
✔ Assess how these data assets are being protected, and what controls you currently have in place
✔ Protect your data assets by implementing a layered security perimeter, it’s essential you are not dependant on one control
✔ Test the controls protecting your data assets to ensure they are effective
✔ Monitor your systems to identify malicious activity or evidence of data loss in a timely manner and provide forensic information to assist with the investigation
✔ Respond in a timely manner to quickly and effectively identify the cause of the breach, shut it down and report it to the affected parties
How can Matchless IT UK Help?
• Data Mapping - Understanding what data you have is essential to adequately protect your data! Using interviews and process observations, Matchless IT's Certified EU GDPR Practitioner will develop a data inventory to accurately document all of the data repositories within your organisation. This will allow you to remove any duplicate repositories, understand vulnerabilities and potential threats to your data, define data owners, understand protection requirements then define and implement controls to protect what is required.
• Maturity Assessment - The GDPR mandates that adequate controls are implemented to protect your data assets. Matchless IT will provide a holistic review of your security controls to identify vulnerabilities and weaknesses.
• Awareness Workshop: Matchless IT would deliver an onsite workshop which is specifically designed and tailored to your requirements to educate you and your organisation’s employees around data privacy requirements and will provide an awareness of how the GDPR legislative changes will impact the organisation.
Contact us for Free Data Protection Impact Assessement and Recommendation.
Have you paid your Data Protection Fee to ICO: https://ico.org.uk/for-organisations/data-protection-fee/
What's new on ICO's website about GDPR: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/whats-new/
ICO Enforcement Action: https://ico.org.uk/action-weve-taken/enforcement/
For more information about GDPR, DPO and Staff Training please contact us on 0161 300 9641 to speak with one of our GDPR Practitioners or email us: firstname.lastname@example.org