17th January 2017
The new General Data Protection Regulation (GDPR) comes into effect from May 2018. Is your business ready to implement the changes?
If not, you’re not alone at the moment. The changes to data protection law have so far been largely ignored by UK businesses. But that will be changing very soon. Now we’re into 2017, May 2018 suddenly sounds a lot closer than it did even a few weeks ago.
If you’re not sure what we’re talking about, don’t worry. Again, you’re not alone at the moment, but now is the time to act. So let’s investigate a bit further.
What is GDPR?
GDPR is the new EU-wide data protection legal framework and the UK government has already confirmed that the decision to leave the EU will not affect the implementation of the new regulations. We wrote about the new regulations when they were passed in April 2016.
Effectively, the GDPR develops and expands upon the existing UK Data Protection Act 1998. If you’re currently subject to the Data Protection Act, chances are the GDPR will apply to you, too.
Like the Data Protection Act, the GDPR relates to the handling of personal data. But the definition of personal data is expanded so that online identifiers, such as IP addresses, are classed as personal data. That’s clearly of interest in our line of business.
The GDPR also refers to “special categories of personal data”, which is effectively sensitive personal data. Included in this section are genetic and biometric data, where they are processed to uniquely identify a person.
What does this mean?
The regulation covers both manual filing systems and online personal data, so you will need to ensure both physical and virtual data is up to the required standards if you fall within the scope of the GDPR.
For many of our clients in the public and private sector, their data protection policy will have to be checked and potentially altered to ensure they comply with the GDPR.
Obviously, the regulation is central to our work because we’re storing and handling personal data on behalf of our clients. If we’re not working on your behalf, make sure whoever is hosting data for you is up to speed. The new regulations apply to any organisation offering goods or services to individuals in the EU, even if the data itself is being processed outside the EU.
IT governance is also going to become increasingly important. GDPR demands privacy by design, which includes conducting privacy impact assessments. In addition to the requirements of GDPR, adhering to this sort of IT security and governance is necessary in order to meet ISO 27001 standards. Read more about ISO 27001 certification here.
Why do you need to take it seriously?
Aside from the obvious point of the importance of protecting personal data that has been entrusted to you, this is worth taking seriously because breaches of the regulations are set to be levied as a percentage of revenue, so organisations of all sizes need to take the changes seriously or risk paying the price.