GDPR – WHAT’S NEW ?
The EU 2016/679 regulation (also known as the General Data Protection Regulation or GDPR) covers the protection of natural persons with regard to the processing of personal data, and the free movement of such data. It comes into force May 2018 and will give citizens of EU countries greater rights over their personal information, and place greater obligations on organisations to protect this data. It includes the right to be forgotten, the right to know when personal data falls into the wrong hands (e.g. hackers) and the need for explicit consent (in certain cases) prior to processing personal information.
WHAT’S IT ALL ABOUT ?
Affects SMEs who not only collect personal details, but store, move and access them online. Personal data is used in everything from sales to customer relationship management to marketing. This replaces the existing Data Protection Act (DPA) which the Great Repeal Act will (likely to) convert GDPR into British law. The FSB claims SMEs are now more likely to be targeted by cybercriminals than their large corporate counterparts.
WHAT DOES THIS MEAN FOR SMEs ?
Companies must keep a thorough record of how and when an individual gives consent to store and use their personal data. Consent must be by active agreement e.g. cannot be inferred by a pre-ticked box. Companies that control how and why data is processed will have to show a clear audit trail of consent, including screen grabs or saved consent forms. When somebody does withdraw consent, their details must be permanently erased, and not just deleted from a mailing list. GDPR gives individuals the right to be forgotten. In the event of a data breach, GDPR forces companies to inform relevant authorities within 72 hours, giving full details of the breach and proposals for mitigating its effects. GDPR forces SMEs to know exactly what personal data they hold and where it is located (whether on PCs, on servers, or in the Cloud), and have procedures in place to ensure its complete removal when a request to do so is made. Monitoring protocols must be able to recognise and act on breaches as soon as they happen, and an incident recovery plan put in place to deal with the repercussions.
THREATS TO YOUR DATA
Accidental data leaks, Disloyal employees, Cyber crime
REVIEW YOUR RISKS
People, Processes, Technology
Acknowledgement to BT’s white paper ‘Dealing with the new EU data-protection regulation’