GDPR is the General Data Protection Regulations (GDPR) that come into effect on 25th May 2018, it is the biggest change to Data Protection in 20 years and is long overdue, the amount of personal data we process and the way we process it has changed vastly and all businesses need to demonstrate that they care and respect the data they are privileged to maintain, the GDPR is best described as a “risk based regulatory framework”, you need to asses your risks to the data and then put monitoring, detection and response controls in place, these come in many forms.
For most businesses the change is actually not that big, it would be fair to say that most respectful businesses already treat the Personal data they maintain with respect and care but have not documented how they maintain the data and how to put things right, the GDPR puts a requirement on businesses to have a clear and concise Data Protection Policy in place and then demonstrate how the policy is applied.
What is Personal Data
The GDPR changes the definition of personal data, it is fair to say that information you would previously not have classified as Personal Data will be under the GDPR.
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Can I still process Personal Data?
Of course you can, but you must have a Lawful Reason to process the data, there are 6 lawful reasons for processing data, there is no hierarchy to the reasons.
1. Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.
Everyone is talking about big fines!
There is no hiding from the fact that the GDPR does include provision for some hefty fines, as we have said the GDPR is a “risk based regularity framework” the implementation of the GDPR in your business is all about mitigating those fines with you monitoring, detection and response controls, however it is worth noting that Elizabeth Denham of the Information Commissioners Office (ICO) has consistently said she “would rather use the Carrot than the Stick” and fines will be a last result saved for persistent offenders and serious cases. the ICO have
What do I need to do?
The very fist thing you need to do is asses what Personal data you hold, how has access to it and where it is going, then you need to risk asses the data and implement monitoring, detection and response controls, these will vary depending on the data and how much control you have over those controls, this is know as a Data Protection Impact Assessment.
No doubt all the information above is very helpful but you may feel overwhelmed by the task, not to worry we can help you, we have several packages and can create a bespoke package for you.