What is GDPR?
GDRP stands for General Data Protection Regulation and will be enforced throughout Europe starting 25th May 2018.
Time to prepare is now
‘Controllers’ and ‘processors’ of data must abide by the GDPR; a data controller states how and why personal data is processed. A processor is the party doing the actual processing of the data.
The time to prepare for this action is NOW. There is no need to panic, but there is a need to prepare and act immediately.
If you are completely confused on how GDPR will affect you, we’ve put together some useful steps to help you move forward.
Step one: Learn the basics
The act replaces the current Data Protection Directive 95/46/EC and aims to protect and empower all EU citizen’s data privacy and change the way organisations handle data protection.
You might be thinking that you don’t need to prepare because the UK is exempt to GDPR because of Brexit. However, GDPR applies to any organisation that holds data about EU citizens no matter where the company is located. GDPR will take place before Britain will leave the European Union (March 2019) and so, the legislation will continue to be enforced into our own independent laws moving forward.
Step two: Examine the details
GDPR requires businesses to tighten their data handling to improve the security of personal information. If guidelines are not complied with, companies risk being fined up to either £18 million or 4% of an organisation’s global turnover – whichever is greater.
Personal data is defined as any information relating to an identified or identifiable, living person, some examples are:
- Email address
- Mobile phone number
- Passport number
- Genetic or biometric data
- Racial or ethnic origin
- Political opinions
- Religious beliefs
- Photos and fingerprints
Anything that counted as personal data under the Data Protection Act still stands as personal data under the GDPR.
Step three: Personal Rights and Consent
Firstly, individuals have the ‘right to be forgotten’ if their data is no longer necessary to the purpose for which it was collected. The ‘right to be forgotten’ also allows individuals to demand that their data is erased if they have withdrawn their consent for their data to be collected, or disagree to the way it is being processed.
Therefore, controllers are responsible for notifying other organisations to delete all copies of that data, as well as the copies they have themselves.
In addition, controllers must store people’s information in commonly used formats such as CSV files, so that data can be moved to another organisation if requested by the individual – this must be achieved within suitable timeframes.
Individuals must be given the chance to give their consent for an organisation to use their data. If permission is not given and data is obtained, the company could be fined for breaching the GDPR.
Using the opt-in/out method is a simple way to ensure consent. Individuals must be able to understand they have the consent option, without hidden details in the small print.
Step four: Protecting your data
Each country has their own Data Protection Association (DPA) who will ensure companies are compliant with the rules of GDPR.
To protect your company, make a record / diary of the processes you have already completed to ensure you are meeting the needs of the GDPR. Therefore, if the DPA turns up and finds a breach of the GDPR in the early stages, you can show that you are in progress of becoming compliant – without a record of progress you risk the chance of being fined.
To start with, identify where information is stored and who has access to it. Evaluate which data is most important to protect, based on its classification. Now, starting with priority data, evaluate how it is being produced and protected. You can now decide why your business has this data and if it is needed.
Step five: Protection Strategies
So, you are probably wondering, what do I do to ensure data is protected in compliance with GDPR?
Firstly, you must have the mind-set that data should be protected from the day it is collected until the day it is no longer needed and then a process should be in place to destroy the data in the correct manner.
Strategies such as pseudonymisation, tokenisation and encryption can be used in compliance with the GDPR.
Pseudonymisation – the separation of data that makes it impossible to find an identity without additional information.
Encryption – encrypted data obscures the value using an approved encryption algorithm. To reveal the original value, the user needs a secret key. This makes it impossible to reveal the true value to any unauthorised user.
Tokenisation – a reversible process that substitutes sensitive data with non-sensitive random values with no mathematical association.
Step six: Avoid other risks
Remember the humble diary? Now it is time to get that out again.
After dealing with your top priority data, you will still need to assess other risks, to find where your business might be vulnerable during other processes.
As you do this, continue logging all the processes you are undertaking to prove that you are doing everything possible to comply with the new legislation.
Final step: Continue the process
Updating all systems whereby personal data is stored is vital to ensure you are not breaching the GDPR.
To determine the next priority data, businesses must follow the steps from step four.
From now, when collecting new data ensure the GDPR security measures are taken to keep yourself ahead of the game.
Do not waste time and think that May 2018 is far away. It is better to start the process now and be prepared for the personal data security checks in the upcoming future.
Prevent those heavy fines and start putting new measures into place today.