The General Data Protection Regulation will become effective on the 25 May 2018 and any companies that are not compliant with GDPR will face heavy fines.
The GDPR replaces the old Data Protection Directive and has been designed to ensure that data privacy laws are updated across all EU states and to ensure that EU citizens privacy is put first.
Although GDPR is primarily an EU member states law, it will also apply to any company that interacts with any EU citizen and will therefore have a global impact.
The UK will be implementing GDPR, whether Brexit happens or not, and this means that all UK businesses will need to abide by the regulations.
Every organisation processing personal data must carry out safeguards against loss, theft and unauthorised access. Respect for privacy, security of data and awareness of breaches will be key. There is a duty to report a breach within 72 hours. If that breach is potentially of high privacy risk, then affected individuals should also be advised of the data breach. This is a significant change to the current Data Protection regime in the UK.
The definition of personal data has been extended and includes anything that could be used to identify an individual. This includes, for example, genetic data and IP addresses. The GDPR will be more robust in its protection of data than anything we have previously seen, and businesses will be more accountable.
Fines can be as high as €20 million or 4% of global turnover whichever is greater.
Some of the key points that make understanding GDPR important are:
- This will apply to all companies that operate within the EU and UK;
- GDPR now considers that any data that can be used to identify an individual as personal data and will include things such as genetic, mental, cultural, economic or social information;
- Companies need to show that they can prove valid consent for using personal information;
- GDPR requires public authorities processing personal information to appoint a data protection officer (DPO). However, all companies should ensure that they have appointed a DPO, and understand the risks associated;
- Companies now need to include mandatory privacy impact assessments (PIAs);
- Companies must now notify of any data breaches;
- The GDPR introduces the right to be forgotten;
- GDPR requires privacy by design.
Some organisations will need significant resources and time to prepare for GDPR.
Certification to Cyber Essentials is a great first step. It can already partially mitigate ICO fines if a company suffers a breach. Cyber Essentials certification is evidence that you have carried out basic steps towards protecting your business and your data from internet based cyber attacks.
GDPR will require more than just the Cyber Essentials basic technical controls: by certifying to the IASME governance standard as well, you show that your organisation has a wider governance system for management of the controls protecting personal data.
The IASME governance standard adds a number of topics to Cyber Essentials which will really help with GDPR compliance, such as assessing business risks, training staff, dealing with incidents and handling operational issues. It does not confer complete compliance to GDPR but it does demonstrate significant progress.
As a Certification Body, PKF Francis Clark can assist you in the path to compliance with Cyber Essentials or the IASME Standard.
For further information please contact firstname.lastname@example.org or your normal PKF Francis Clark contact.