GDPR is not just a big problem for big organisations, no matter the size of your business GDPR does apply to you if you are handling any kind of personal data.
The concept of GDPR being a box ticking exercise is the mentality that gets lots of organisations in trouble further down the line, whether you are looking to grow or simple just ensure your businesses success, understanding why GDPR is important and ensuring compliance as well as building an understanding of what GDPR is, is the first step.
In this article we will look at what GDPR is, what this means for your business and what the risks are for not being compliant.
What is GDPR?
The GDPR (General Data Protection Regulation) was created to strengthen EU residents’ rights and offer greater control over how businesses process and use personal data. GDPR was passed by the European Union in May of 2018.
UK GDPR is a set of regulations established in 2018, the regulations set out standards businesses should adhere to, to ensure the protection of data within organisations. The full list of GDPR Regulations can be found on the government website under The Data Protection Act 2018.
If your business operates in the EEA (European Economic Area) then you must still comply with EU GDPR, however for businesses solely operating in the UK you must follow UK GDPR, under The Data Protection Act 2018.
What does GDPR mean for your business?
GDPR should be at the forefront of everyone’s minds when handling data especially sensitive or ‘special category’ data, not only to ensure that we are meeting individuals’ rights but also to remain compliant, after all this is a legislation.
If your business stores and uses data in the UK or is located outside of the UK but you sell goods or services to individuals living in the UK then you must comply with UK GDPR.
It is not uncommon to find legal documents confusing and complex, GDPR is no different, so put simply what is GDPR:
The UK GDPR sets out 7 key principles:
- Lawfulness, fairness, and transparency – organisations must ensure their process, use and collection of data does not compromise the law and that their use of data is transparent to data subjects.
- Purpose limitation – The data an organisation holds must be gathered for a specified purpose, similarly the data must only be held for a specified amount of time to carry out the purpose of which the data was collected.
- Data minimisation – You must only hold the smallest amount of data required to carry out your intended goal, an organisation cannot collect data because ‘one day it might be useful’. We cannot treat a person’s data like that item we all have in our house that ‘might be useful one day’.
- Accuracy – Personal data should be accurate and up to date, it is the organisations responsibility to review and update individuals’ data, inaccurate data must be amended or deleted, individuals can ask that inaccurate data is corrected or deleted this must be done within 30 days of their request.
- Storage limitation – After an organisation has used the data for the reason it has been gathered that data should be deleted. An organisation can establish a retention period for as long as there are grounds to do so; these grounds include but aren’t limited to public interest or historical research.
- Integrity and confidentiality (security) – Measures must be set to safeguard all personal information from damage, loss, unauthorised use, and internal/external threats including cyber-attacks.
- Accountability – Organisations should take responsibility for ensuring the protection of data and show their compliance. Organisations can be asked to show proof that they are compliant in the form of processes and procedure documents showing the steps taken to ensure the protection of data.
These 7 principles cover 8 rights for individuals, these 8 rights are:
- The Right to be Informed
- The Right of Access
- The Right to Rectification
- The Right to Erasure
- The Right to Restrict Processing
- The Right to Data Portability
- The Right to Object
- Rights in relation to automated decision making and profiling
These rights are explained further by the ICO.
What is the risk of non-compliance?
What hurts a business the most? Damage to reputation, financial loss and ceasing operation
Non-compliance with GDPR can almost ensure that one, if not all of these are a risk to your business.
Not only can it be extremely embarrassing for organisations to admit they have lost your data it can be costly, a fine of up to £17.5 Million (€20 Million) or 4% of your business’s global turnover, this is decided on whatever is larger.
The ICO (Independent Commissioner’s Office) can also impose temporary or permanent restrictions on processing and collecting data, or even ban you from operating in the UK or EU entirely.
How do you mitigate these risks?
The simplest answer is having compliance policies in place.
GDPR emphasises a preventative approach, having policies in place and clear procedures for individuals to follow in the event of an incident or data breach is the best form of prevention. Plan and prevent or respond and repair, the choice is yours.
As an organisation you can perform a data protection gap analysis review, this will not only give you a big picture of your organisations compliance but also allow you to view where the shortfalls might be.
For larger organisations having a data protection officer might be an option for most smaller businesses you won’t require a Data Protection Officer. However, having an expert that understands the policies and risks can be beneficial. At CyberCrowd we offer a DPO as a service, meaning our experts can be on hand as and when you require advice or assistance.