The General Data Protection Regulation (GDPR) was adopted by the European Parliament in April 2016 replacing the current EU Data Protection Directive which has survived since its introduction in 1998. Interestingly less than 10% of UK households held an internet connection at that time.
Unlike the Data Protection Act (DPA), the GDPR sets out responsibilities for any global company which holds or processes European personal data both inside and outside of Europe, effective from 25 May 2018.
Current UK government announcements support the adoption and maintenance of this regulation, despite ‘Brexit’, so with less than a year to go it is important to understand what preparations businesses need to make to comply with the legislation. Non-compliance will see an increase in current DPA penalties, from up to £500,000 to €20,000,000 under GDPR (or 4% of the businesses annual global turnover).
Until now the Data Protection Act has created a relatively clear division of responsibility, set against those that they categorise as data controllers or data processors. The GDPR blurs these lines and requires reporting and monitoring well beyond that associated with its DPA predecessor.
In a world driven by data and intelligence, the GDPR starts to introduce the ‘right to be forgotten’ on the part of individuals, placing a responsibility on the custodian of any such data to allow the individuals concerned to opt-in or out of retention of such data.
Implicitly, this requires a business to understand the nature of the data they hold, and where that data is patriated.
The availability of cloud computing and storage has accelerated the pace at which new and innovative solutions can reach consumers whilst the GDPR forces any such solution, or user of it, to consider where their data resides.
We have all become highly reliant upon mobile devices but these tend to fall under the radar when considering data and security. These devices serve as powerful conduits to ‘the cloud’ and can create issues if client data makes its way onto them.
Our email communications and associated systems carry sensitive information which can be exposed at our desktops and mobile devices. Businesses require a clear line of sight on their data and the GDPR requires business policies and privacy notices to provide for the new individual rights.
Whilst Apple have proposed patents to store fingerprint data ‘in the cloud’, they have yet to announce plans to do so. Usage of the local iPhone memory, or ‘Secure Enclave’ as they call it, remains the repository for their mathematical representation of your fingerprint.
If you hold any customer data, sensitive or otherwise, you will need to ensure that you are processing and storing it lawfully and that you remain permitted to do so. In addition, you need to understand where any such data is held and who has access to it!
The GDPR forces greater accountability and as such adequate plans, procedures and monitoring need to be in place to deal with any data security breach; you will be legally required to report such breaches within 72 hours.
Do your current processes or systems, generic or propriety, give rise to the risk of contravening GDPR regulations?
You should consider:
- Client record databases
- Email communication systems
- Electronic storage mediums
- Mobile & desktop
Whilst the GDPR affords the regulator significantly increased powers, the reputational damage and loss of confidence caused by a breach are still likely to outweigh the heavy fines that can be levied for non-compliance.
The Information commissioner’s office has published a 12 step guide to preparing for this far-reaching legislation.
By Paul Holland, CEO of Beyond Encryption.
The inaugural Data Protection World Forum (DPWF) was held on November 20th & 21st 2018 at the ExCeL London and welcomed over 3,000 delegates seeking the very latest insight on data protection and privacy.
Pre-registration for DPWF 2019 will be opening in the coming weeks.