Technical Help

GDPR is a year away – what should you be doing …

Never Assume! Reprographic printers: Digital Printing.

The General Data Protection Regulation (GDPR ) is aimed at strengthening and at the same time unifying data protection for all people in the EU.  Strengthening because it extends the definition of what data will be protected, what rights the subject of the data has and the penalties for non compliance and breach.  Unifying because it will bring to an end the current variations between the Data Protection acts of the various member countries – for example Ireland, a relatively relaxed Data Protection Authority, has been popular with companies like Google.

The GDPR also gives residents of the EU more visibility and control over their personal data.  You will need good reason to collect personal data, receive clear consent to use the data for the sole purpose you declared you were gathering the data and delete the data once that purpose no longer exists, or at the request of the subject of the data.

Phew… So, when will this happen?  The regulation was adopted 27th April 2016, and needs no further EU support before becoming automatically replacing the Data Protection Directive 95/46/EC on 25th May 2018.

At the time of writing, you have about a year.

 

What is new ?

  • Unlike most Data Protection Acts the GDPR will apply to any data that could identify a person. This includes, Genetic, Mental, Cultural, Economic or Social data.
  • Data can only be kept for the sole purpose that it was collected for, once that use ends the data must be deleted. The data must not be kept any longer than is necessary, and the subjects of the data, have the right to request removal of the data – the so called ‘Right to be Forgotten’ clause.
  • There’s no hiding place, as this applies to any organization worldwide that wishes to keep data on EU residents. If you are in the UK, Brexit won’t allow you to ignore this if you are keeping data on residents of the EU.
  • GDPR applies to all businesses regardless of size. And major data users (approximately 5000 records, this includes your own staff) will need to appoint a Data Protection Office responsible for advising the business on GDPR Compliance and the independent supervision of a business’s compliance.
  • You will need clear consent to gather, store and use the data.
  • The GDPR contains special protection to children, defined as under 13’s.
  • There will be a single EU wide Breach Notification Policy, and you will have 72 hours, from the time an organization becomes aware of a breach, to inform the relevant supervisory authority.
  • The GDPR applies to Data Processors, organizations that process data on behalf of others as well as Data Controllers, the organizations that gather the data.
  • There is a requirement to deploy state of the art IT Solutions.
  • Specifically the ability to restore access to personal data in a timely manner following a physical or technical failure.
  • Penalties are
    Up to €10m or 2{d195eceed8222db772e860f22652bbbd4a1d256aa8146c4be9851e2e3b27ac46} of annual turn over (whichever the greater) for not having in
    place adequate GDPR security measure.Up to €20m or 4{d195eceed8222db772e860f22652bbbd4a1d256aa8146c4be9851e2e3b27ac46} of annual turn over (whichever the greater) for breaching
    fundamental aspects, like not obtaining consent when required too.

 

 

10 things you need to be doing now.

  1. If GDPR applies to your organization, pay attention, take it seriously, its not going away, one report suggests 20{d195eceed8222db772e860f22652bbbd4a1d256aa8146c4be9851e2e3b27ac46} of UK IT Directors are not aware of GDPR, don’t sleep walk into a breach. If you are in the UK, Brexit will make no difference (in fact the UK are planning to adopt the GDPR).  Be sure to understand your Obligations, GDPR is not only an IT issue, its aboard level matter.
  2. Audit ALL the data you have, not just the data under you current Data Protection regime, the definition of personal data will change. Do you have any data that will come under the new definition of personal data.
  3. Review your current, and future, use of Personal Data. What data you have, how it is stored, how and for what purpose was it gathered.  Do your IT Systems and Processes need to change too reflect the new definition of personal data and the new obligations upon you?
  4. Review your data collection processes, including your privacy notices at the point of collection. You will have to tell people how you intend to use their data, the legal basis for why you are processing the data, how long you will retain the data for, their rights to complain to the ICO and their rights to request deletion.
  5. Review your data maintenance process, for example individuals have the right to access their data, and a right to request changes for accuracy.
  6. Train your staff, what is GDPR, how it may affect your business, share you plans, identify gaps and upskill where necessary.
  7. Also, review your Hardware, is it State of the Art, is it vulnerable to modern cyber attacks, etc. Have you considered both External and Internal threats?
  8. Do you use, Encryption, Virtual Patching, Integrity Monitoring, Malware protection, Sandboxing, what data loss prevention measures are you using etc?
  9. Create a compliant Breach Notification Plan.
  10. If you have more than 5000 records you will need to appoint a Data Protection Officer.

 

So, now you know more about GDPR – and it is coming, it’s a year away and that’s not very long.  We at CSR Digital can help you, particularly in meeting your obligations in the deployment of state of the art IT Hardware and IT Systems.   Let us help you plan and stay on top of your obligations.
For one example, we have a ready to go solution to the requirement to have the ability to restore access to personal data, in a timely manner, following a physical or technical failure.

StorageCraft Cloud Backup for Office 365 is an easy-to-use solution designed to protect & manage the recovery of Office 365 data. Fully protected, it’s available through web-based interface which is intuitive to use. Recovery quick and easy, whether it be a file, folder, or an entire backup.  One simple per user/per month allowing you to keep unlimited versions of Exchange, SharePoint and OneDrive data.