2018, the year of GDPR. A year that promises to shake up how data protection is looked at, not only in Europe but on a global scale. Organisations of all sizes will need to prepare, understanding the regulation and how it affects them, implementing solutions and processes to comply. Data management and protection organisations will play an important role in helping other organisations with the education process and in compliance.
How to prioritise your time when getting ready for the GDPR?
Time is of the essence, with just over 4 months until the 2-year implementation period is over, May 25th, 2018 will mark the official start of the General Data Protection Regulation as it becomes enforced law across all of Europe. Many organisations will have some understanding of the regulation by now but for those that don’t, the worrying headlines about fines could be very daunting.
Understand and educate:
The regulation is complex and has been fiercely debated by many attempting to realise what needs to be done to comply. However, the Information Commissioner’s Office is the authorised regulator for the UK who will be responsible for ensuring compliance. They have released a 12-point guide to understanding and complying with the regulation, which sets out the requirements simply.
Mapping and reviewing:
One of the main principles of the GDPR is to improve the security of data and reduce the possibilities of data breaches. 2017 saw a number of large-scale data breaches, many of which were investigated by the ICO and organisations were fined accordingly. Undertaking exercises internally to understand what data exists within an organisation is the first step to understanding where the risk of a breach may lie. Factors that can be mapped include:
- Where data is stored
- Who has access to the data
- If data has been shared externally
Under the regulation, organisations must undertake ‘technical and organisational measures’ to reduce data breach, which can include not allowing data to be transferred to third party organisations, should they not have security processes in place to prevent breaches.
While compliance itself is an ongoing process, it is important for organisations to be able to show that they have processes in place to reduce the possibility of a data breach and protect data. These processes must include an outline of how data is protected and in the case of personal data that is processed, must outline where and how consent was gathered.
Being able to demonstrate these processes will be looked upon favourably if a data breach occurs and is likely to have a positive effect on any fine that a regulatory authority issue as a penalty for non-compliance. Redstor has partnered with compliance specialists GDPR365 to help with this process, if you would like to find out more, contact one of the Redstor team today.
Why is the GDPR worrying so many organisations?
As well as being the largest change to data protection laws in the last 20-years, the GDPR represents a significant change in how data subjects (persons of which data relates to) are treated. Consent can no longer be assumed, and an individual has more rights around how and where data can be used; a data subject may also request for all copies of data held on them to be securely deleted, this is called the Right to Erasure and is set out in Article 17 of the regulation.
There are also the fines for non-compliance, which have been making huge headlines and used as scare-tactics by many. Under the Data Protection Act, the largest fine the ICO could hand out was £500,000 for a serious data breach. Under the GDPR the largest fine that can be given is €20,000,000 or 4% of global revenues, in addition to a potential fine of €10,000,000 or 2% of global revenue for failing to report a breach within 72-hours.
GDPR and Brexit
With the countdown to Brexit also well underway, some people and organisations thought that the GDPR would not come into place in Britain. This is not true, however, as the British government will transpose the regulation into law in the form of the New Data Protection Bill (which will become an Act on passing), this will come into play on May 25th, 2018.
Redstor and the GDPR
As a data management and data protection expert since 1998, Redstor have been working with partners and end-users to help educate around the regulation and help organisations understand the responsibilities they have. To find out more about how the regulation may affect you and to understand what changes you may need to make, download the free whitepaper now.