What is GDPR: The General Data Protection Regulation (GDPR) will come into effect from the 25th of May 2018 and aims to bring data protection legislation in line with the ways in which data is currently used.
Serviceteam IT has recently completed research on the ways in which businesses in the UK use the cloud and the external factors that are likely to influence the use of the cloud in the future. One of the key findings from this report was that 62% of respondents highlighted GDPR as the biggest challenge to their IT plans over the next 3 years. One interviewee from a technology fleet management provider, commented that the sheer volume of data that the company holds makes GDPR the greatest challenge for the company at this time. Adherence with GDPR in his opinion was ‘bigger than anything else the company has had to deal with’. You can read the results of the UK Cloud Snapshot Survey 2017.
But what is GDPR? Who does GDPR apply to? What does GDPR mean for businesses in the UK? This will give you an overview of what GDPR is and what it means for you.
What is GDPR?
GDPR is an attempt to harmonise the data protection laws between countries within the EU. It is essentially an expansion of the Data Protection Act, introducing tougher fines for those found to be non-compliant and giving people power to have a say in the way in which companies use their data. GDPR was introduced to the House of Lords as the Data Protection Bill 2017 on 13th September 2017.
GDPR applies to both data processors and controllers. Data controllers outline how and why personal data is processed and data processors then act on these demands. Both of these parties will be liable if a company is found to be non-compliant with GDPR.
One of the major changes the GDPR has brought with it is that companies located outside of the EU will still have to ensure that they are compliant with GDPR if they possess data of EU citizens. This means despite the UKs decision to leave the EU, firms in the UK will still need to comply with this change in regulation. It is for this reason that the firms surveyed in our research were so concerned with the challenge of complying with this regulation. If a company is found to be non-compliant with the demands of this regulation they can face a fine of €20 million or 4% of global annual turnover (whichever is higher).
What counts as personal data under GDPR?
There has been an expansion in what is classified as personal data under GDPR from what was previously outlined in the Data Protection Act. The definition of what classifies as personal data is more detailed under GDPR and information including an online identifier such as an IP address is classified as personal data. In addition to this, processing personal data of children under the age of 16 will now require parental consent.
When can people access the personal data companies have stored on them?
Individuals can request to have access to the data companies have stored on them at ‘reasonable intervals’. Companies have an obligation to respond to this request within a month of it being made. People have the right to be able to request to see any data that a company holds on them and to learn how this data is being used and how long it will be stored for. They also have the ‘right to be forgotten’. This means that individuals have the right to request for their data to be erased from a company system.
What happens if a company experiences a data breach?
If a company experiences a breach that risks people’s rights and freedoms they are obligated to inform the relevant data protection authority within 72 hours of the organisation becoming aware of the breach. This notification must include an outline of what type of data has been affected, what the consequences could mean and an outline of a response plan.
Failure to meet this 3-day deadline means an organisation risks a fine of 2% of their global annual turnover or €10million, depending on which is higher.
GDPR therefore presents a major challenge to businesses in order to ensure that they are found to be compliant. Many businesses are confused by the regulation of the GDPR and find them almost impossible to translate into a set of controls to implement across the organisation. With just one purchase you can now put in place the security baseline you need in order to meet the legislation and get compliant. For more information on this please check out one of our other blogs on what is GDPR.