Though not applicable to all of my readers, I thought i’d still share this post on GDPR and what it means to business’. (Seeing as we can’t seem to get away from it at the moment) – If you’re wondering why you’re getting emails from every Tom, Dick and Harry on their security updates – GDPR is why.
Here’s what I have to say on the matter, courtesy of the Tecmark blog.
GDPR is set to come in to legislation on the 25th of May this year, replacing the 20-year strong Data Protection Act that stood before it. The law is set to reach a wide scope of organisations and is said to take a modernised, 21st century approach to data security, but what does it mean for your business?
What do I need to know about GDPR?
GDPR applies to personal data, or more so the general protection of it. This applies to any information that can directly (or indirectly) relate to an individual and in any format. The regulation covers a much wider scope of information types than its predecessor and is set to place much stronger controls over this kind of data. The data included is classified into two categories, new features have been bolded.
Special Categories of Personal Data
The GDPR will apply to all organisations, including those within the EU. It will be implemented before Britain leave the EU and will remain in place thereafter. The legislation will apply to all businesses, that includes: commercial business, charity or public authority organisations that collect, store and process any of the personal data aforementioned.
The basic principles that the GDPR will cover are:
- Data protection principles
- Accountability and governance
- Data protection by design and default
- Lawful processing
- Valid consent
- Privacy rights of individuals
- Transparency and privacy notices
- Data transfers outside of the EU
- Data security and breach reporting
What does GDPR mean for my business?
You need to ensure your security is top-notch
In line with the Data Protection Act 1998, your business should already have a sound data protection plan in place, if not, now is the time to spend time on this as if you do not have sufficient security, then you could be breaching the law.
We would advise taking the following steps to ensure that your security is always A+ so that not only are you in line with the law, but are also safe from security breaches which can be impactful upon both your business and your employees.
- Shred all of your old files as soon as you no longer need them
- Keep track of what sensitive data you currently hold, used to hold and who has access to it
- Ensure your offline files are kept securely in a locked filing cabinet
- Ensure your online files are kept secure with digital document management software
- Update passwords regularly
- Store passwords on a secure password storing software
- Ensure there are no files left around the office – even if you don’t think they are sensitive
Even if you do not think you possess any of the sensitive personal data highlighted above, it is still important that you keep your files secure (whether that be online or offline) just in case.
Tecmark recommends: chances are, you’re going to have one or two documents lying around that may just contain some of the data that falls under scrutiny in the act, so you’re going to want to keep all of your documents secure, just to be on the safe side.
You need to be mindful of any changes
When GDPR is implemented, you’ll need to ensure that your business ticks every box as this new legislation has been meticulous in its principles and it is easy for businesses to be caught up.
Tecmark recommends: we’d recommend doing a little more research around GDPR and producing a checklist of all the requirements that keep you in line with the regulation, and then checking your office complies with each of these points, one by one.
Small businesses need to be extra mindfu
Most large scale businesses will already be pretty clued up with data protection and will probably just need to make a few adjustments to their practises in order to keep in line with new regulations.
Smaller businesses, however, are predicted to be affected more by the GDPR and therefore will need to be super mindful of new laws.
Tecmark recommends: If you are a small business then you need to ensure that you are keeping all sensitive documents secure. In fact, we’d recommend keeping all of your files in a secure area – just to be safe.
You must demonstrate compliance with the GDPR
One of the new things the legislation requires, is the demonstration that your organisation is complying with it.
To prove your obligation, the GDPR requires that you:
- Keep a detailed record of data processing operations
- Document data protection policies and procedures
- Complete data protection impact assessments for high risk scenarios
- Ensure staff training and awareness
Tecmark recommends: The best way to demonstrate your compliance is to practise legislation from the literal get-go. As of the 25th May you should have sufficient data security protocols in place, have all records updated, know how to complete a DPIA and have your staff trained and ready to go.