3rd May 2017
With ever growing, available and flexible IT access, the world is generating data at an increasing pace. As this rises, so too does the complexity of controlling and securing your data.
A variety of high profile data breaches have reached the headlines in recent times, Wonga, Three, Sports Direct, Tesco Bank, Sage, Kiddicare, TalkTalk to name a few.
With the sheer proliferation of data available and data breaches increasing 40 Percent in 2016, [Source ITRC and Cyberscout], data protection can no longer be a side-line, box-ticking exercise, it needs to be at the core of your operations.
Figure 1 Source: ITRC
Regulatory bodies have recognised this and the EU have launched the General Data Protection Regulation (GDPR) as a framework for the protection of personal data, effective 25th May 2018.
Any business trading in Europe will need to comply, regardless of the UK’s EU membership status. And in addition to the damage that breaches can do to your reputation and future trading there will also be steep fines for non-compliance with this legislation.
Last year UK fines from the Information Commissioner’s Office (ICO) were £880,500, this would have been £69 million under the GDPR, according to analysis by NCC Group, [Source: The Register].
The GDPR is clear that business must take responsibility for protecting personal data that they collect, hold, process and delete. This responsibility cannot be outsourced to a third party.
Personal data is defined as “anything that can be used to identify an individual or person”, this includes: Names, addresses, contact details – including work email addresses, Cookies, IP addresses, IMEI on personal devices.
The GDPR goes further than the Data Protection Act 1988, meaning there will be additional measures that businesses need to consider.
Certain companies will be required to appoint a nominated Data Protection Officer, this is largely dependent on the size of your business and the amount of data processed.
There is a requirement to report any breach where an individual is likely to suffer some form of damage to the relevant supervisory authority within 72 hours.
“The heart of the GDPR is about understanding the context of your data and evidencing sufficient controls to protect it.”
Where previously implied consent was acceptable, individuals now need to actively give their consent for their personal data to be processed. This means it needs to be a positive indication, it cannot be inferred from silence or a pre-ticked box. Consent must be freely given, it must be specific, it must be informed and in no way ambiguous.
Where previously individuals had a right to access data held within 40 days, this has been decreased to one month. In addition, individuals can request their data in acceptable format, such as electronically.
Businesses are obliged to inform individuals when data has been hacked, to prevent direct marketing, automated decision making and profiling.
Interestingly, individual have a right under this legislation to be ‘forgotten’. If you cannot provide a legitimate reason for keeping data they have the right for it to be erased appropriately.
Companies must provide context to their data processing by providing an accessible and detailed record of how data is used, where it is held and who has access to it. This should be accompanied by evidence of an understanding of the risks to the data and of data breaches and demonstrable policies and processes for protecting data and mitigating this risk.
Businesses are expected to be 100% compliant with the GDPR from day 1 – 25th May 2018 and non-compliance with the GDPR will result in fines of up to €20m or 4% of global turnover. Many business will already have robust Information Security measures in place, but all businesses should ensure they are fully aware of the requirements of this legislation and get everything in place by May 2018 to fulfil the requirements.