About the GDPR
In March 2014 the European Parliament voted overwhelmingly in favour of a new EU Data Protection Regulation. The regulation was adopted in April 2016 and it comes into force on the 25 May 2018 after a two-year transition period. Unlike some other EU legislation it does not require enablement by national governments via new legislation.
The UK Information Commissioners Office (ICO) has said that the UK will adopt the new legislation as an update of the Data Protection Act. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.
The following text is direct from the ICO's web site*;
Who does the GDPR apply to?
- The GDPR applies to ‘controllers’ and ‘processors’. The definitions are broadly the same as under the DPA – ie the controller says how and why personal data is processed and the processor acts on the controller’s behalf. If you are currently subject to the DPA, it is likely that you will also be subject to the GDPR.
If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have significantly more legal liability if you are responsible for a breach. These obligations for processors are a new requirement under the GDPR.
However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
- The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
- The GDPR does not apply to certain activities including processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal/household activities.
This new regulation focusses on protecting personal data and carries heavy fines of up to 4% of worldwide annual turnover, or up to €20 million! As a business there is now a compelling reason to ensure your data is correctly classified and stored securely, a hefty fine for non compliance.
If you or your customers customers are individual persons, for example in legal or accounting and work for them on professional matters, or in health care or recruiting then this could apply to them. If there is electronic collaboration, perhaps using drop box type services, insecure email or instant messaging then it's time the use of these was reviewed to bring these collaboration technologies in line with the new regulations.
The tech space is wide, so email, document sharing, instant messaging and USB and other portable data storage devices (smart phones?) will all fall into the scope of the GDPR which is scheduled to come into play in May 2018.
What can you do?
There are several things you can do to mitigate risk of breaching the GDPR and to lesson the financial impact (fine) for any breach.
- Encrypt email and documents in transit and at rest
- Ensure you are using secure business grade collaboration platforms
- Start protectively marking your data, so you know what you need to protect.
- Put staff and management training and awareness programmes in place.
Data protection by design and by default
Under the GDPR, you have a general obligation to implement technical and organisational measures to show that you have considered and integrated data protection into your processing activities.
The GDPR is a large topic but need not take up a significant amount of time or your IT budget, but also it's not something businesses in the UK can ignore.
Contact us to learn more about how Cleartext Systems can help you with GDPR compliance.
*Attribution. Information Commissioner’s Office, ‘Data protection reform, Overview of the DGPR, Introduction. March 2017, licensed under the Open Government Licence.