Data is essential to the daily and future workings of an organisation. With commercially sensitive information held and stored electronically and physically, the loss and theft of stored data carries serious consequences. These include reputational, financial and legal damage, meaning there are significant pressures for all organisations and businesses, to ensure all necessary steps to secure the privacy of data are taken.
Next year, an important new data protection legislation called EU General Data Protection Regulation (GDPR) will be enforced. GDPR is a uniformed regulatory framework that will be coming into force across the EU and beyond, to define and bring together multiple requirements for securing data, under a single and clearer legislation.
Some important facts related to GDPR are listed below:
- The legislation comes into force on 25th May 2018 and replaces the Data Protection Directive (Directive 95/46/EC).
- GDPR will still apply to the UK even after Brexit, meaning that there will be no opting out!
- In the UK, the legislation will supersede the Data Protection Act 1998.
- GDPR is a legal compliance issue. Therefore the role of IT is to help and assist organisations, with ensuring they are legally compliant.
- Applies to all organisations, business and service providers regardless of geographical location.
- The data that is protected under GDPR are any forms of personally identifiable information held, related to EU citizens. This includes names, addresses, medical details, contact numbers and more.
- Includes all data held electronically, on paper and in other formats.
As a legal framework, the scope of GDPR is an incredibly large web of complexity. For organisations and businesses, the legislation brings many changes, which will affect how personal data is stored and used. This is through strict new legal requirements, which relate to how they can collect, record, store and process data, in addition to defining what needs to be done to ensure compliance.
These requirements include:
- Privacy by design, by reducing data collection and retention, in addition to requiring explicit permission to capture data.
- Before processing personal data, organisations must analyse and determine privacy risks through Data Protection Impact Assessments (DPIA).
- An individual has the right for their data to be deleted, as part of their right to be forgotten.
- GDPR applies worldwide to anyone who holds personal data on an EU citizen.
- In the UK, any data breach must be notified to the Information Commissioner’s Office (ICO) within 72 hours.
- Infringements of GDPR carry penalties, including fines of up to 4% of an organisation’s total revenue.
In this digital age where political issues such as Brexit have created uncertainty, it is more important than ever, that personal data is stored securely and processed legally. Organisations must take all appropriate steps and measures, to ensure their systems and processes are GDPR compliant. In addition, they will also need to thoroughly check that any business partners and suppliers are also compliant.
To summarise, GDPR is an all-encompassing piece of complex legislation that will transform how personal data can be legally used and processed. Technology will play a major part in assisting all organisational areas are working together to achieve legal compliance, by ensuring GDPR requirements are closely adhered to. Therefore organisations and businesses of all sizes must be aware of the requirements of GDPR, as infringements can damage their brand, both financially and from a reputational perspective.
More information on GDPR is available below: