The GDPR (General Data Protection Regulation) is coming for the majority of EU organisations (yes, this includes the UK still) in May 2018. This will mean massive changes to the way controllers store, manage and generally use data.
As these are not guidelines and are legal regulations, there are some pretty hefty fees involved if they are breached. This is something you can’t ignore. The regulation itself is fairly wordy so here are five key things you need to know, broken down.
#1 Right to Erasure (Right to be Forgotten)
Perhaps one of the most important points to take from this regulation is the right for any customer or client to have all of their personal data removed. They can request that any records which contain personal data are deleted or destroyed. Not only this, it must be done within 72 hours or your company will be breaching the regulations.
#2 Reporting Security Breaches
Another major area of the GDPR is the compulsory reporting of security breaches within a set timeframe. You and your company will have 72 hours to report any security breaches of any kind which have put personal data at risk. Failure to do so will resort in potential fines. It can be hard to detect breaches, so this is something that needs to be thought about very soon in the larger context of your IT Security strategy.
#3 Assigning a Data Protection Officer
Article 37 states that every data controller must assign a DPO (Data Protection Officer) who must do several things for the organisation/company. He/she must: inform, advise, monitor and act as a contact point to supervisory authorities. The DPO should be easily contactable from anyone in the company, as they are responsible for reporting any breaches and should be around for any advice needed by other individuals in the company.
#4 Data Portability
A lot of the GDPR is about giving power back to consumers in having more control over their personal data. Part of this is put in place through article 20, data portability. It is there to ensure data can be requested and then received in a structured, machine-readable common format. For example, sending the consumer an excel spreadsheet (.xlsx) file which includes all the personal data you have received from them/collected on them.
#5 EU Citizen Data remaining in EU
One last major area to keep in mind is to ensure an EU citizen’s personal data remains within the EU. This means it cannot be hosted or stored in any country outside the EU, most likely due to different regulations being in place in different countries and the citizen potentially losing some control over their data. Although Brexit is coming, the UK is still obliged to follow this for the near future.
So here are just five of the key points to keep in mind about the GDPR. There are many more aspects within it and much more detail that is required to be understood by any organisations affected. But this lays down the essential foundations of the GDPR and has hopefully informed you that this is not something you should avoid due to the imposing legal ramifications. For more information please visit: https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/ from the ICO (Information Commissioner’s Office).