The General Data Protection Regulations, or GDPR, is coming into effect in the UK from 25 May 2018 and will replace the Data Protection Directive of 1995. But what does GDPR mean for your business?
The General Data Protection Regulations are designed to improve the safety of web users by extending the scope of current EU data protection law. In effect, this means that all companies processing the details of EU citizens must abide by standardised EU regulations. The idea behind it all is to pass power back to the individual regarding how much personal data is stored and what it’s used for.
However, the regulations are set to profoundly alter the way SMEs manage and structure their customer and employee data. GDPR will enable regulators to fine companies up to four percent of their global turnover if an individual’s data is processed wrongly or accessed by a cyber-intruder in a security breach. With large fines a possibility, non-compliance is not an option.
Among many new conditions, one of the biggest changes SMEs will face concerns consent. Under the new regulations, companies must keep a thorough record of how and when an individual gives consent to store and use their personal data.
Furthermore, consent will mean active agreement. It can no longer be inferred from, for example, a pre-ticked box. Any small business that processes personal data will have to demonstrate they have appropriate controls in place and show a clear audit trail detailing how consent was given.
Individuals also have the right to withdraw consent at any time, easily and quickly. When an individual withdraws consent, their details must be permanently erased, and not just deleted from a database or mailing list.
All of this will inevitably have a huge impact on how companies store data. Security and privacy will now become the priorities for IT teams creating data storage facilities with encryption a prerequisite on all servers where personal data is stored.
This includes third party and cloud-based systems, or, indeed, a hybrid of on-site and cloud data storage facilities. SME’s will have to have greater contact and liaison with their service providers to ensure the personal data they hold is secure.
Becoming certificated to ISO 27001, which is an Information Security Management System, will help you work towards compliance. Typically, this requires implementing and documenting a management system to include:
- An Information Security Management Policy (ISMP)
- A statement of applicable legislation
- A security asset register
- Risk assessments with treatment plan & controls – i.e. business continuity
- Business improvement – i.e. Non-conformances, corrective and preventative action.
If the General Data Protection Regulations have you thinking about your network security, get in touch with the team and Amba us to discuss how we could help.