One of the biggest changes in data protection law is coming into force in May 2018. The General Data Protection Regulation (GDPR) will affect how companies process and use their customers’ and employees’ data.
The European Parliament has announced an ambitious transformation which will strengthen citizens’ rights for controlling their personal data and give individuals the option to be erased from a company’s record. Moreover, the legalisation means some SME and corporate businesses will have to implement a new data protection programme to be compliant with regulation. Regardless of whether the UK will be in the European Union or not, the GDPR regulation will go ahead in less than 8 months.
What is changing?
As of May next year, GDPR is going to replace the Data Protection Act (DPA). The framework will inflict expensive penalties for businesses who fail to manage people’s personal data securely. In accordance with regulators, personal data is defined as ‘any information relating to an identified or identifiable natural person’. As the majority of businesses hold data on individuals, it will significantly impact day-to-day operations. Any business that does not adhere to the regulations can land itself with fines up to 4% of their global turnover or 20m euros (£15.8m), whichever is greater.
What this means for SMEs?
The new conditions mean all SMEs will need to justify how and when an individual has given them consent to store and use their personal data. Individuals will be able to have a say on how their personal data is held, and have the right to withdraw consent at any time. For example, if an individual requests to withdraw from an email list, their details must be erased and not kept on file in the deleted mailing list folder.
Once in action, SMEs will have to explain precisely where the personal data is stored, whether it be on a computer, laptop, servers, or on software programs and accurately explain how removal of data is executed.
Companies will have to up their security measures to reduce the chance of a data breach, as GDPR obliges companies to report any data protection violations in 72 hours to the necessary authorities. Moving forward, GDPR will put greater emphasis on recognising when a breach has occurred and putting an incident recovery plan in action to deal with the consequences.
In preparation for GDPR businesses are recommended to implement systems that will make them compliant with the regulation well in advance of the 2018 deadline.
The Next Steps
If your organisation will be impacted by the new regulation, your next step is to conduct an audit to identify what data you store and process for European citizens, its location, its path from point A to B and by what systems is it processed.
By doing this you will unveil the gaps in your systems which will then allow you to investigate the tools and solutions you may need to invest in to help your organisation achieve GDPR compliance.
How Netpoint Solutions can help
Netpoint Solutions can help your business in becoming GDPR compliant
Your IT systems only account for around 20% of the GDPR regulations. Unlike many IT companies we are working with Certified GDPR Practitioners to help your business become fully compliant in all aspects of GRPR, not just the IT related areas.
- Find out what your GDPR requirements and obligations are via a GDPR assessment
- Cyber Essentials is seen as a minimum requirement for GDPR, we work as standard within the Cyber Essentials framework and can help your company become certified
- Many businesses require a Data Protection Officer due to the personal data they process. This can be outsourced to our Virtual DPO Service
- COMING SOON - our 'GDPR Compliance Tool Kit' will help your business implement the policies and procedures to become compliant
Office Phone: 01484 506960
- GDPR is one of the biggest changes in security protection for more than 20 years
- GDPR is any information relating to an identified or identifiable natural person
- The legalisation will affect how company’s process and use their customers and employees data
- Consumers will gain control on how their personal data is managed and have a right to withdraw consent
- Some SMEs and corporate businesses will have to implement a new data protection program to be compliant with the regulation
- The framework will inflict extensive penalties for businesses who disregard the rules on managing people’s personal data securely - with fines up to 4% of their global turnover or 20m euros (£15.8m), whichever is greater
- Businesses will need to destroy data at the request of an individual
- Companies will have to disclose where personal data is stored – on a device or on software
- GDPR obliges companies to report any data protection breaches in 72 hours to necessary authorities
- GDPR will put great emphasis on recognising when a breach has occurred and putting an incident recovery plan in action to deal with the consequences