GDPR is Here! What You Need to do now
Posted: Lee @ Intrasource
GDPR is Here! What You Need to do now
Is your business ready and compliant for the biggest change in data protection rules for a generation?
GDPR is upon us – General Data Protection Regulation becomes law on May 25th, bringing about a major step change in the way businesses in every industry can collect, handle, utilise and store information about their customers. Fail to comply with the regulations and suffer a security breach, and you could face fines of up to €20 million or 4% of your global turnover – whichever is higher.
If your business handles personal information or sensitive data on your customers (very likely!) then GDPR applies to you – you simply can’t ignore it. In this post, we take a final look at what it is, and what every business needs to be doing right now if they haven’t already.
What is GDPR?
GDPR is new EU legislation that replaces the Data Protection Act 1998 – changing the way personal data can be used. It sets out new rights for EU citizens and residents, giving them more control over their personal data. At the same time, it places stricter obligations on organisations holding any form of personal data or sensitive data and introduces a heavy fine system for non-compliance.
Following Brexit, the UK has already agreed to mirror the GDPR rules under a new Data Protection Act, with a few minor changes.
New citizen/resident rights
GDPR introduces a wealth of new data rights for citizens and residents:
- To be informed about who holds their data, what data they have, how it’s being used and the reason they have it
- To access all their data, in a format that can be easily read (like .csv)
- To object to their data being used for marketing or shared with other organisations
- To amend the details of data held by organisations to ensure it is correct
- To be forgotten, and for all data to be removed and deleted
- To prevent organisations and businesses from processing their data
The legislation also brings in some new responsibilities for businesses and organisations:
- Businesses can only collect data for specific and legitimate purposes
- Businesses cannot keep data longer than is necessary
- Data must be processed and stored securely
- Data must be processed in a legal, fair and transparent way
- Businesses can only collect the data needed for relevant processing
GDPR also sets out clear rules regarding the action businesses need to take with regards to data breaches. "Destruction, loss, alteration, unauthorised disclosure of, or access to" data must be reported to the ICO (Information Commissioner’s Office) within 72 hours.
Take a look at this post on GDPR from February, for more in-depth information about how it may affect your business.
Actions – a quick checklist
Here’s a short and by no means an exhaustive list of some of the actions you need to take to ensure compliance with the new rules:
- Create a list of all the data you hold, where you got the data, who you share it with, what it’s used for, and how long you’re planning on keeping it
- Create a map of where this data is stored, and the way it flows through your business
- Create a defined, compliant policy on how long you’re planning on keeping data
- Refresh consent for the data you hold – contact your database and ask them to opt into any communication
- Look at the physical security of your data – and ensure it is safe
- Appoint a Data Protection Officer (where required)
- Train staff on the new GDPR regulations and responsibilities
- Put a breach reporting process in place
- Create a breach response policy
- Ensure your data is stored in a compliant manner
- Create a strong password policy for staff
- Evaluate your cybersecurity processes and systems with GDPR in mind
- Ensure that your technical security is up to date and compliant
- Examine data storage systems and access to all electronic devices
Please note, this isn’t a complete checklist - full information about the changes, responsibilities and details of the new GDPR regulations can be found at the official website - https://www.eugdpr.org/.
Should you be worried
There has been a lot of scaremongering surrounding GDPR, and whilst it’s important to be vigilant, take it seriously and implement changes, this isn’t a revolution!
Although there are some big changes being introduced, these are an evolution of the existing Data Protection policies. If your business is already compliant with the existing Data Protection legislation, then it may simply be a case of rewriting your privacy policies, documenting the data you hold and making a few tweaks to your existing systems and marketing methods.
However, if you don’t have any systems in place, then it would require some significant changes to the way you handle data.
Technical GDPR support from Intrasource
Is your business ready for GDPR? Are you fully compliant with the new regulations?
Don’t fall foul of the new regulations. If you’re unsure about any aspect of GDPR, we are here to help.
Intrasource can help you put the right technical measures in place to move you towards compliance. Where required, we can also undertake a thorough security audit to see how well prepared you are in protecting your digital data. Contact us to see how we can be of help to your GDPR needs. Read one of our popular blogs on what is the difference between IT support and IT services here and learn how to protect yourself from impersonation attacks.