Category Archives: GDPR

GDPR – Are You Ready?

Is your business ready to meet the new GDPR (General Data Protection Regulation) framework?

As GDPR is a legal compliance framework, which will be enforced from Friday 25th May, this brings many important changes related to data protection. These relate to how businesses and public sector organisations in the UK and worldwide, need to ensure they are legally compliant with all requirements. The framework also provides a clear definition of the consequences of falling short of GDPR. You can find more information on GDPR and how it affects your business here.

How can you make your business ready for GDPR?

The starting point is to audit, identify and understand the data you hold, along with how it is used, processed and protected. In order to achieve this, ask yourself the following questions below:

  1. What personally identifiable data is held by your business?
  2. How does your business use the data held?
  3. What policies (legal, technical, procedural) do you have in place to protect data?
  4. Have you identified and assessed the privacy risks posed?
  5. Have you incorporated privacy into your business processes to minimise risks?
  6. What have you done to raise awareness of GDPR amongst your employees and clients?
  7. Have you put into place any accountability and governance measures?
  8. Have you nominated a DPO (Data Protection Officer) to oversee GDPR compliance?

From the questions above, you can start to understand and document how your data is used, stored and protected. This will assist you in developing a tailored approach for your business to meet the requirements of GDPR. In addition, this will also assist in identifying and addressing any potential compliance issues, as well as delivering best practice.

I cannot state how important it is for businesses to ensure they are compliant with the GDPR framework. With cyber and data security under the conscious spotlight today and in the future, data breaches carry significant penalties under GDPR, including up to 4% of a business’s total revenue. For businesses of all sizes, the cost of a data breach under GDPR has the potential to be significantly crippling, both from a financial and branding perspective. Therefore it is vital that your business is GDPR compliance, before it is too late.

There is plenty of information and help available out there, so there are no excuses, to not be ready for GDPR.

Time is running out fast, so be prepared!

More information is available by clicking on the links below:

https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/getting-ready-for-the-gdpr/

https://www.eugdpr.org

https://www.csoonline.com/article/3202771/data-protection/general-data-protection-regulation-gdpr-requirements-deadlines-and-facts.html

http://www.itpro.co.uk/it-legislation/27814/what-is-gdpr-everything-you-need-to-know

Advertisements

GDPR – How will it affect businesses?

Data is essential to the daily and future workings of an organisation. With commercially sensitive information held and stored electronically and physically, the loss and theft of stored data carries serious consequences. These include reputational, financial and legal damage, meaning there are significant pressures for all organisations and businesses, to ensure all necessary steps to secure the privacy of data are taken.

Next year, an important new data protection legislation called EU General Data Protection Regulation (GDPR) will be enforced. GDPR is a uniformed regulatory framework that will be coming into force across the EU and beyond, to define and bring together multiple requirements for securing data, under a single and clearer legislation.

Some important facts related to GDPR are listed below:

  1. The legislation comes into force on 25th May 2018 and replaces the Data Protection Directive (Directive 95/46/EC).
  2. GDPR will still apply to the UK even after Brexit, meaning that there will be no opting out!
  3. In the UK, the legislation will supersede the Data Protection Act 1998.
  4. GDPR is a legal compliance issue. Therefore the role of IT is to help and assist organisations, with ensuring they are legally compliant.
  5. Applies to all organisations, business and service providers regardless of geographical location.
  6. The data that is protected under GDPR are any forms of personally identifiable information held, related to EU citizens. This includes names, addresses, medical details, contact numbers and more.
  7. Includes all data held electronically, on paper and in other formats.

As a legal framework, the scope of GDPR is an incredibly large web of complexity. For organisations and businesses, the legislation brings many changes, which will affect how personal data is stored and used. This is through strict new legal requirements, which relate to how they can collect, record, store and process data, in addition to defining what needs to be done to ensure compliance.

These requirements include:

  1. Privacy by design, by reducing data collection and retention, in addition to requiring explicit permission to capture data.
  2. Before processing personal data, organisations must analyse and determine privacy risks through Data Protection Impact Assessments (DPIA).
  3. An individual has the right for their data to be deleted, as part of their right to be forgotten.
  4. GDPR applies worldwide to anyone who holds personal data on an EU citizen.
  5. In the UK, any data breach must be notified to the Information Commissioner’s Office (ICO) within 72 hours.
  6. Infringements of GDPR carry penalties, including fines of up to 4% of an organisation’s total revenue.

In this digital age where political issues such as Brexit have created uncertainty, it is more important than ever, that personal data is stored securely and processed legally. Organisations must take all appropriate steps and measures, to ensure their systems and processes are GDPR compliant. In addition, they will also need to thoroughly check that any business partners and suppliers are also compliant.

To summarise, GDPR is an all-encompassing piece of complex legislation that will transform how personal data can be legally used and processed. Technology will play a major part in assisting all organisational areas are working together to achieve legal compliance, by ensuring GDPR requirements are closely adhered to. Therefore organisations and businesses of all sizes must be aware of the requirements of GDPR, as infringements can damage their brand, both financially and from a reputational perspective.

More information on GDPR is available below:

http://www.itpro.co.uk/it-legislation/27814/what-is-gdpr-everything-you-need-to-know-4

http://www.eugdpr.org/gdpr-faqs.html

https://www.varonis.com/learn/what-is-eu-gdpr/

https://techstringy.wordpress.com/2017/04/19/what-ive-learned-about-gdpr/

North West Data Forum – My Learning Recollections

In today’s digital world, there are so many security risks posed to data. These are not just related to technology, but also to people, markets, skills shortages, resistance to change, organisational culture, and more. This poses a major challenge for organisations, to legally adhere to data protection legislation.

From May next year, the legislative landscape related to protecting data is changing. This is because the EU General Data Protection Regulation (GDPR) will be coming into force. GDPR is a legal regulatory framework, which will apply to all organisations and businesses.

Data security is a keen interest of mine. Recently I attended the North West Data Forum in Liverpool. Organised by Gardner Systems, the forum looked at the imminent introduction of GDPR, as well as how technology can assist organisations with ensuring they are compliant. Having previously written about other Gardner Systems events on data security, I was extremely keen to find out more about GDPR for myself. I am delighted to say that I came away afterwards, feeling the forum to be worthwhile, informal and useful.

The forum consisted of three speakers, followed by a panel discussion. The speakers were Grant Caley from NetApp, John Hughes from Varonis and Paul Stringfellow from Gardner Systems. Each talked about how technology can assist organisations, with ensuring that they can become legally compliant with GDPR. For me personally, there was so much that I learned from all three speakers, from not only securing data, but also how technology can help with complying with legislation.

Below are some of the key points that I learned

  1. Recognise and understand the value of the data you hold.
  2. Challenges posed to data security extend beyond IT (Information Technology).
  3. Less embedded skills within organisations make them more vulnerable.
  4. Data needs to be maintained, transferrable and also made portable.
  5. Explicit permission is required when transferring data.
  6. Technology only helps with ensuring compliance.
  7. Important to think about security when designing and developing solutions.
  8. 70% of security breaches went undetected for a year.
  9. Data access needs to be not only secured, but also monitored and analysed for abnormal behaviour.
  10. Security must work for people, as they use the technologies.
  11. Educate people on general principles on why data security is important.
  12. Important to collaborate with others.

The panel discussion was much thought provoking, with the audience asking pertinent questions related to GDPR. In addition, the discussion also allowed for the audience to submit questions through Twitter. Sensing an opportunity, I submitted a question, asking if GDPR would still apply after Brexit. The response I received was an unequivocal and resounding yes from the panel, in that GDPR will apply to the UK, after the conclusion of Brexit. I learned this is because the legislation will apply to any organisation or business that collects and holds data on EU citizens. Furthermore the panel explained to the audience that my question has constantly been asked by audience members, at other GDPR related forums and seminars. Therefore I was delighted to have asked a meaningful question that is relevant today.

I would like to thank everyone at Gardner Systems and all the speakers, for a very interesting forum. As well as meeting fellow IT professionals, I found the experience to be very educational, and a valuable investment in my own knowledge and understanding, of the importance of data security and GDPR. I was also impressed by the technical insight of Gavin, John and Paul, and I felt privileged to listen and learn from three knowledgeable professionals.

With regards to GDPR, look out for my next article. This is because I shall be writing in more detail about what it is, and how it will affect organisations.