General Data Protection Regulation (GDPR) will be coming into effect in 2018 and replacing the UK’s existing Data Protection Act (DPA).
What does this mean to an organisation? Well part of existing UK law, all organisations have to comply to the current Data Protection Act which governs the use of personal information. Everyone within your organisation is responsible for ensuring that data is…
- used fairly and lawfully
- used for limited, specifically stated purposes
- used in a way that is adequate, relevant and not excessive
- kept for no longer than is absolutely necessary
- handled according to people’s data protection rights
- kept safe and secure
- not transferred outside the European Economic Area without adequate protection
With GDPR coming into effect and replacing DPA, we need to be aware of what impact this can have on your organisation and their employees.
How many times have staff within your organisation copied data onto a USB stick, so that they could work from home? What data did they use and did it have personal identifiable data within it?
Was it encrypted? Did anyone else have access to this USB stick apart from the person responsible for it?
We need to take security in general seriously, this is not just all about new regulation, however with GDPR the seriousness of data loss, breach, access, alteration and destruction could result in big financial consequences to an organisation.
Under DPA only certain bodies and organisations have until now been liable for reporting breaches of their data to the ICO (Information Commissioner’s Office), with a maximum fine of £500,000 being used against them for these breaches.
Moving forward with GDPR, a breach of security which requires notification to the supervisory authority is classed as the following…
Any breach which is likely to have a significant detrimental effect on individuals which could lead to: discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.
Relevant to a lot of organisations, this means that any loss of customer details where the breach could leave the individuals open to identity theft, must be reported.
Reporting this breach under GDPR will require notification of said event within 72hours of the event being identified. Failing to notify the authority of this breach could result in significant fines of up to €20million Euros or up to 4per cent of an organisations global turnover.
The stakes are therefore high for all organisations to take security and protection of any personal identifiable data seriously. You cannot afford to ignore the risks, no matter what area your organisation works within.
Follow our blog each month for further insights and information on GDPR.