General Data Protection Regulations
General Data Protection Regulations
Announced in 2016, the European General Data Protection Regulations (or “GDPR”) are an evolution of the Data Protection Act of 1998. After four years of research and development, the regulations come into force in May 2018 in the UK in the form of a new Data Protection Bill.
The aim of this Bill is to address the needs of any company holding personal data in an increasingly digital age, and increase the rights of privacy of the individual. In the UK this will be implemented by the Information Commissioner’s Office (ICO) and will be enforced irrespective of the UK’s departure from the EU.
It comes into force on 25th May 2018 across the continent.
The directive then goes on to give very clear definitions to the types of information you might hold. Firstly there is Personal Data, which broadly refers to any piece of information such as name, address an IP address which could be used to identify an individual.
Then there is sensitive personal data, which as you can imagine is more sensitive and covers a range of areas such as sexual orientation, genetic data, political and religious views etc.
Section 1 of the EU directive identifies two types of people at an organisation level who may handle personal data.
Data Controllers: “a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be processed”.
Data Processors: “any person (other than an employee of the data controller) who processes the data on behalf of the data controller”.
Under GDPR, there will be increased accountability for organisations who handle personal data including the need for policies and impact assessments for data protections as well as any relevant documentation detailing how data is processed.
Data breaches including “destruction, loss, alteration, unauthorised disclosure of, or access to” personal data held by a company must be reported to the ICO within 72 hours under GDPR in any instance where it may be considered to have a detrimental impact upon those whom the data it is about.
Large organisations with 250 or more employees must also prepare and hold documentation explaining why personal information is collected and processed, outlining the type of information held, how long it’s kept for and a description of the technical security measures in place to protect the data.
You may also be obligated to employ a Data Protection Officer (DPO) if your company undertakes “regular and systematic monitoring” of individuals on a large scale or processes large quantities of sensitive personal data. In certain situations, you may also be required to clearly obtain consent and a “positive opt-in” in order to hold and use personal data.
To increase the rights of individual EU and UK citizens there will be changes to the process by which anyone can request a copy of the information your company holds about them – from now on companies will have thirty days to comply with a data protection request; under GDPR you cannot refuse and you can no longer charge them for the privilege.
One of the most notable changes under the new Regulations is the change to fines. Under GDPR, serious breaches can result in the ICO fining an organisation up to 4% of their annual global turnover or 20 million euros – whichever is greater.
Minor breaches will also be subject to potential fines of 2% annual turnover or 10 million euros (whichever is greater). The seriousness of a breach and level of fine will be determined by the ICO.
Unlike the Data Protection Act which the European GDPR will affect any company that holds personal data of individuals living in countries covered by the directive, regardless of where their headquarters are based. If you trade in the UK or EU and hold personal data covered by GDPR, even if your company isn’t based here, GDPR will affect your organisation.
CloudyGroup are passionate about ensuring that all data, whether yours or that of your customers, is secure. Our certified engineers can help you to make sure you are fully certified ready for GDPR with ICO recognised security implementation.
Map any personal
data you currently hold
Manage how data
is accessed and used
Put in place measures
to secure your data
to report data breaches
Whether you’re a customer of CloudyIT, CloudyCreative, CloudyComms or CloudyWebHosting, CloudyGroup is here to help. As a Microsoft 365 Partner, we recommend that you take this short online test to see if GDPR will affect you and what measures you might need to consider. Or, if you would prefer, we can help you to go through this. We are currently integrating all the tools set up by Microsoft Compliance to make the switch over to GDPR as smooth as possible.
We are also pleased to be working alongside DPOrganizer software which can help with your data mapping. So whether you are looking to secure the data you hold in our UK Tier-4 data centre, conduct a data mapping exercise, clean your marketing mail lists or simply rewrite your policies to ensure full compliance, get in touch with our team today to see how we can help.