Time to act on GDPR
Data security has always been a serious topic, because it’s one of the main planks of IT use, but it’s about to get even more serious for everyone.
Typically when planning your IT, you would start with the hardware. After that the priority very quickly becomes to secure and backup the data that exists on or flows through that hardware.
Very soon, though, the way you manage and protect your data is going to move even further up the agenda – possibly even to be considered before the hardware and networks.
That’s because new data laws (in addition to these…), which have existed for almost the last two years, are going to begin being enforced from next May and they come with very hefty fines for anyone who doesn’t take them seriously.
Hopefully by now you’ve heard of the General Data Protection Regulation – or GDPR, as it’s more commonly shortened to.
It’s a huge redesign of the Data Protection Act we’ve been familiar with for decades now and it applies across European Union countries. The fact that our destiny is to leave that club does not matter, because the law will already be in force and we will need to follow it if we are to continue to do business with Europe and the people who live there.
There are some key things to understand about GDPR:
– It puts the focus on the proper management of data, from securing it to ensuring you have a legal basis to hold it in the first place and that the people you hold information on have simple and timely access to it (among other new rights).
– If you are found in breach of the GDPR rules, there are fines available to regulators which far outstrip the measures available to them now. A fine that might run into the tens of thousands under the Data Protection Act can quite literally be into the tens of millions of pounds under GDPR. They can reach up to four per cent of an organisation’s global turnover. That’s really something to think about!
– GDPR is not just about draconian laws, it’s a revisiting of the value of data for the digital age. It’s about making sure that those who hold data are able to unlock its value, perhaps by mining it, combining it with various sources, selling it on and modelling it to tell us things about the world that we couldn’t otherwise know. In order to do that, it has to be accurate and legitimately held and properly protected. That’s in everyone’s interests.
GDPR and You
The big question is: what does this mean for you and your business?
In short, it means you need to be preparing now to make sure you meet the requirements of GDPR. You need to know what data you hold, how and where you hold it, who has access to it, whether it is up-to-date, whether it is secure and whether you have rights under GDPR rules to have it.
When you know that, you need to be able to document your systems and how they are operated, have justifications in place for who can see and use data and have ways to record when and by whom the data is accessed. There must be ways to quickly provide data to the people it is about if they ask and methods to transfer their data to other processors if they request you to do so (a right the data subject is given under GDPR).
Some of this is organisational, but much of it is technical. Many of the huge fines we are going to see will be as a result of data breaches and loss. If you haven’t taken appropriate, demonstrable steps to make your systems secure you risk being held expensively accountable.
So, a great starting point is to examine your IT. Have you got all of the security angles covered, including staff training? Have you checked that all of your data is held in the places where it should be (no copies of databases on staff desktops, or duplicates in unofficial cloud accounts…)?
If you haven’t started already, now is the time to get familiar with GDPR, start an audit, create a plan and ask your IT department or service provider where the gaps might be.
If you don’t know where you stand or where to start with securing your systems and communications, you can pick up the phone to us. Whatever you do, don’t let the May 25th 2018 implementation date arrive without having done anything!