The General Data Protection Regulation (or GDPR) is a large change to data protection regulations and will supersede the current Data Protection Act (DPA) from 1998. Overall, the GDPR increases privacy rights for individuals and imposes stricter laws to ensure that organisations securely manage any personal data that they hold.
The new act will come into effect on 25 May 2018 and while it may still be one year away it will require time-consuming changes, so avoid delay and start your preparations. While organisations will hear ‘data’ and immediately go to their IT teams, this legislation impacts various teams such as Marketing and Accounts and is an organisation-wide commitment; adding further pressure to avoid delaying.
Personal data means data that can identify an individual, which can include anything from email addresses to religious beliefs. While the definition can be fairly vague the ICO have produced a quick reference guide (8 pages) or a much more detailed guide (30 pages).
You can download our GDPR overview and checklist to help on your compliancy journey here.
While the changes required may be time-consuming, they should be seen not as a box ticking exercise but as an opportunity to improve and build upon your current data management and protection practices. With high profile data breaches causing damages to profits and reputation, data security is more important than ever for any organisation. Having a robust IT security setup is only going to get more important in the future, so effective compliance with GDPR with put you onto the path to a secure, future-proof setup and save you time and hassle in the long run.
We’ve outlined some key steps to take to help you on the path to compliance but if in doubt, speak to your IT team, support partner or you can contact us.
The above steps are a guide to help you on your journey to GDPR compliance. The ICO have also produced this useful 12 step guide to help prepare for GDPR, which include some high-level initial steps to take.
What about Brexit?
GDPR will come into effect before the UK leaves the EU so UK organisations will need to be compliant.
Does this just apply to European countries?
No, it does not matter where the organisation is based but instead whether they process the data of individuals based in the EU.
What if I do not comply?
The hefty fines for failing to obey the GDPR are €20 million or 4% global annual turnover; whichever is greater.
How long will it take to become compliant?
This depends on your current setup and the personal data that you hold (for example, data held on children have much stricter rules) so will be unique to every organisation.
GDPR represents a large change in data protection and increasing individual’s privacy rights. While becoming compliant will be a time-consuming and organisation-wide initiative, data management and security is only going to increase in importance and become a top priority for organisations. Taking the correct steps now to evaluate and improve upon current processes and infrastructure has a two-fold benefit now; ensuring GDPR compliancy and ensuring that your organisation puts security as a top priority, which is integral to success.
If you require guidance or support around your infrastructure and security measurements then we hope you have found this article useful. If you require more information or would like to organise a meeting to discuss how we can help with your GDPR compliance then please contact us.