Many people have been asking us about the implications of the impending GDPR (General Data Protection Regulation) on their business. It is important to understand that GDPR is not just an IT issue as the regulation applies to all data including the likes of everyday paperwork, business cards and CCTV recordings, as well as your electronic data. As your management system provider, we can however try to answer some of your general questions:
What is it?
GDPR is a new European regulation that replaces the Data Protection Act. (DPA) These regulations both cover the way organisations store, transmit and process personal data and are designed to protect the fundamental rights of data subjects.
We are leaving the EU, does it really matter?
Yes, the current DPA will be updated to reflect and run in parallel with the GDPR.
But we already have the Data Protection Act anyway don’t we?
There are a few significant differences between the GDPR and the current DPA.
• GDPR is very much about accountability, you have to have documentary evidence that you are complying with the regulation.
• You must have procedures in place for enabling data subjects to exercise their rights.
• You might need to appoint a Data Protection Officer, depending on the types of data you hold.
• You might have to undertake and document a Data Protection Impact Assessments (DPIA), but at the very least you must demonstrate that you have assessed any risks inherent in your processing activities and dealt with them accordingly.
Are you GDPR compliant?
The requirements of GDPR are specific to the new legislation and you won’t be GDPR compliant unless you take steps to ensure that you have all of those requirements in place.
At Tarragon we have always been responsible custodians of our client’s data. We have therefore enlisted the help of a company specialising in GDPR compliance in order to ensure we get it right post 25th May 2018.
What are our options?
You essentially have three options:
1. Learn about the regulation yourself and manage your own compliance; it is however a large and complex piece of legislation, so be prepared to put a lot of time into it.
2. Attend specialist training in order to fast-track your compliance by at least understanding what you physically need to do. Beware though, there are innumerable ‘courses’ that supposedly teach you about the regulation, but many of them are actually an elaborate sales pitch for something else.
3. Enlist the help of consultants with in-depth knowledge of the regulation so that they can help guide you toward compliance.
What if I do nothing?
Be warned! The governing body will have new powers in May that will allow them to enter any premises without notice and impose fines of 4% of global annual turnover for non-compliance. (Remember that’s not just a data breach but just non-compliance.)
As you can see the GDPR is bringing some significant changes and has the potential to impose significant penalties on businesses for non-compliance.
If you decide that you will try to manage GDPR yourself then we, along with our consultants at Unity Metrix Ltd., can offer you the following guidance to get you started:
1. Communicate It is important that everyone in your business understands what is going on; there is little point in plugging holes at one end of the pipe if users are creating holes at the other end.
You need to show where your data is, how you got hold of it, why you are holding it, and who else has access to it. You can make a list of processing activities in a spreadsheet, but you should research the exact requirements. You will also need to determine the lawful basis on which you will rely to process this information for example: Consent; contractual obligation; legal obligation; legitimate interest; public interest or vital interest.
Discover the points in your business and in your network that could potentially present a risk to the data. You will need to document that you have considered these risks.
You should understand the rights of every individual on whom you have any sort of data. There are broadly speaking 8 of these: The right to be informed; the right to access their own information; the right to rectification; the right to be forgotten; the right to restrict processing; the right to data portability; the right to object; the right to contest automated decisions.
You must have documented procedures and processes in place in order to adequately fulfil requests by data subjects pursuant to their rights.
6. Incidents & Breaches
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data. It is incumbent on you to have procedures in place for managing and reporting any incidents that did or could constitute a data breach, to the relevant parties in the allotted time.
7. Review privacy notices
You will need to review and update any privacy notices especially where you intend to rely on consent as a lawful basis for processing.
8. Children & Special Categories of data
If you have any data on children, race, ethnic origin, politics, religion, trade union membership, genetics, biometrics, health, sex life or sexual orientation of any living person then the regulation is further complicated and we suggest you seek further advice.
We hope that this general overview of the GDPR has helped you to identify what you may need to address in order for your business to ensure compliance. Please contact us if you require any information in respect of how your electronic data with KMSS is managed, or if you would like further information about GDPR and your business from our GDPR consultants, Unity Metrix Ltd. They will be able to provide group training courses, 1-2-1 guidance or full physical & electronic security audits.