In May 2018 the Data Protection Act will be replaced by the General Data Protection Regulation and if your company holds individuals personal data you will be affected by it. One of the common misconceptions is that GDPR will only really affect specific industries but the definition of personal information is broad and will certainly affect all businesses.
The regulation aims to protect individuals privacy and their personal data and comes with hefty penalties for failing to comply. It covers all ‘Personal Data’ which includes any data by which an individual can be identified and introduces new measures and procedures for ensuring this data is protected and used correctly.
So What is “Personal Data”
The regulation covers all meta data and data held about an individual, opposed to a company. It covers individuals such as your employee’s, prospects, customers, suppliers or anyone else you encounter. So the regulation doesn’t cover an organisation such as ‘Massive Dynamics Limited’ but it does apply to ‘William Bell, Founder at Massive Dynamics’, So if you are storing personally identifiable data about your suppliers or customers you will need to be compliant.
But wait… Brexit!
The ICO (Information Commissioner’s Office) have been very clear since the UK’s decision to leave the European Union that GDPR will still come into force. When the UK leaves the EU the GDPR directive will still be used by the UK as a base for replacing the directive. But more importantly if you want to trade with EU organisations they will still ned to comply with GDPR.
So don’t expect this all to go away as we negotiate our way out of the EU.
What is the difference between the current Data Protection Act and GDPR?
Rob Luke from the ICO recently described GDPR as an evolution of the existing rules and not a revolution with it being summarised in two words : “Accountability and Transparency”. The reach of GDPR is far greater than the DPA and its definition on data breach’s is far clearer. There is an increase in responsibility on the data holder and processor and full control is firmly with the owner of the data.
- Privacy by Design – Privacy and security should not be an afterthought, the key to being compliant is implementing privacy protections from the start.
- When data is collected, the purpose for you collecting it and using it must be unambiguous
- You must not continue to hold data if no longer used for the purpose it was collected
- The individual has the right to be erased on request (Subject to the data not being required to be kept by law)
- All businesses in the EU must be complaint, as must companies trading with organisations within the EU
Whilst there is still just under a year to go very few companies we speak to have started working towards being compliant, and according to Computer Weekly 44% of IT professionals.
Stay tuned for Part 2 of our GDPR series which will cover steps to take to ensure your compliant.
For more information on the how our Cloud Backup service can assist with your GDPR compliance please get in touch with us on firstname.lastname@example.org or 01252750549