We know organisations need relevant and timely information about fundamental changes affecting IT, and if you don’t already have a plan for GDPR compliance you need to read this article.
Recently you may have heard people talking about GDPR and wondered what it’s all about and, more importantly, if it will affect your business. The long and short of it is the new regulation has far reaching implications for every business, and no business is exempt regardless of size, industry or longevity.
If you hold any personal data, GDPR will affect your business. Companies that are found to be non-compliant can be fined up to €20m or 4% of turnover so we are going to tell you what it is and what you need to do.
General Data Protection Regulation is a European initiative and comes into effect on 25th May 2018. GDPR will govern how all businesses collect, store, access and process personal data and will replace existing Data Protection Acts. The aim is to standardise regulations across the EU member states and Great Britain will be affected despite Brexit.
In the past businesses rightly believed that the personal data they collected and held as part of their normal course of business belonged to the business. GDPR shifts the balance in favour of the individual, and businesses must now consider themselves as custodians of other people’s personal data and must use it responsibly and safeguard it accordingly.
Key Facts
- Personal data must be processed lawfully, fairly and transparently
- Personal data can only be collected for specified, explicit and legitimate purposes
- Personal data must be adequate, relevant and limited to what is necessary for processing
- Personal data must be accurate and kept up to date
- Personal data must be kept only for as long as is necessary for processing
- Personal data must be processed in a manner that ensures its security
Key Aspects
- Explicit Consent
- Right to be Forgotten
- Data Portability
- Breach Notification
- Privacy Impact Assessments
- Privacy Notices
- Record Retention
- Access Control
- Accuracy/Integrity of Data
- Subject Access Request
Personal information can be found in many areas of a company’s data, the most obvious are personnel records, CRM systems or Line of Business applications. However, personal data held on a company’s mobile phone whether it be regarding their customers or their employees will also fall under GDPR.
It’s easy to think of data as just lists of prospects, enquiries and customers but it’s very likely you have personal data contained within emails sent either between members of staff, their friends and family, or with external organisations.
This represents a number of challenges in identifying the full extent of personal data held by an organisation, how it addresses requests by individuals to know what data they are holding, and how it deletes data when the individual so requires it.
What can you do?
If the regulation had one main aim it’s to make us all act more responsibly with the data we hold so now’s a good time to get started. Some tips below:
- Establish what personal data is being held. You will need to show retaining any personal information is relevant and not excessive.
- Establish where personal data is stored. Databases, emails, web applications, mobile/tablet apps?
- What is the security surrounding the data and the devices (i.e. does your mobile phone have anti-malware)?
- Do you have full visibility and control over who accesses and updates the personal data?
- Confirm how personal data is backed up? Is it in the cloud or on disk or tape? How many copies are there and where are they held? Are they encrypted?
- Review company practices and policies in order to comply with the new data security directives. Ensure your staff are trained in how to collect, handle and store personal data.
- Upgrade and enhance your IT and data security. Don’t leave it to the last minute.
- Formalise the ongoing review your IT security measures.
ICO SYSTEMS is offering guidance to businesses on how they can comply with GDPR, focusing on IT systems and IT security. If you have any concerns, please contact us, we’re happy to help.
Why this can’t be ignored.
We often hear about data breaches; devices left on trains; ransomware crippling governments and global organisations. These stories enter the public domain but there are many that don’t.
The new regulations mean that any data breaches have to be reported and logged by a supervisory authority. The fines for these data breaches are intended to be punitive. Equally the new rules will make it easier for private actions to be take which will inevitably mean additional compensatory claims.
If you would like to know more about GDPR and how to be compliant please contact our account management team on 01473 211330 or email gdpr@icosystems.co.uk
Who and what is ICO Systems?
ICO Systems is an Ipswich based IT services provider, offering IT support to businesses throughout Suffolk & East Anglia. We specialise in providing on premise and cloud based IT infrastructure and security solutions that both improve productivity and offer protection against the ever increasing threat of Cyber-crime.
We have close working partnerships with companies such as Microsoft and WatchGuard. We are one of the top ten largest UK resellers of Microsoft’s Cloud platform, Azure.