GDPR

What is GDPR?

The General Data Protection Regulation (GDPR) is a reform of data protection in the UK and it comes into force on 25th May 2018.

GDPR replaces the Data Protection Act of 1998 and has had regulations introduced by the EU to meet the rapidly changing digital landscape that makes much of the 1998 act dated and irrelevant. We’ve seen a vast number of security compromises in data usage which have often led to breaches by hacking, unethical use of the data such as mass data sales and inappropriate respect of user privacy and misguided data ownership. The new rules provide greater emphasis on roles and responsibilities by providing stringent guidelines on operational rules whilst outlining significant fines for inappropriate use. Ultimately, the legislation aims to provide more power to customers and the data we manage on their behalf.

Although the aim of the GDPR is surprisingly not one of scaremongering, there are potentially significant penalties for any evidence that may suggest non-compliance with the new regulations. Although a penalty may not have a major impact on your business, the reputational damage could be fatal.

The EU GDPR site has a lot of information in detail.

What does it mean to you?

GDPR seeks to remove companies from the assumption that security and privacy of personal information is managed by some mythical component, into ensuring that the policies are adopted company-wide by all personnel.

The top eight key points are:

  1. GDPR now applies to any company that deals with Europe or European Citizens - not only those resident in Europe.
  2. Penalties are now much more severe - allocated according to percentage of annual global turnover!
  3. Personal Data now includes digital information, such as IP addresses and mobile device identifiers.
  4. We now have to explicitly ask individuals if we can process their data. We can no longer be vague about what happens to their information or how we process it. Essentially, power to the people as they can now request what data we safeguard and they can also ask to delete it.
  5. Technology is now expected to meet the requirements of GDPR, with encryption being the key dependency of data transmission and storage.
  6. Eventogy keeps an audit trail and logs of every single action, maintaining records of who did what, and when - something that the new GDPR requires off data processes.
  7. Although working to ISO 27001 will require you to do this anyway, the reporting of personal data breaches will become mandatory within 72 hours of becoming aware of them.
  8. Data Protection Officers are going to become mainstream components of every organisation, ensuring due diligence and policy.

Ultimately, the creation and enforcement of the GDPR is not one of scaremongering - its intention is to create an ethical set of rules that puts moral responsibility at the heart of the act. Ensuring the protection of privacy of individual is a serious moral obligation and the implementation of the act should be seen as a move in the right direction for any organisation that places value on privacy of individuals, regardless of what we do.