May 2018 sees the arrival of the EU General Data Protection Regulation (GDPR). This regulation marks a new era in data protection and puts an extra set of demands on businesses and the IT infrastructure that is used every day. While every organisation will have a different set of requirements in order to ensure that they are GDPR-ready, there are some common themes that GDPR compliance demands.
The issue of consent
The basis for consent has been upgraded with the GDPR, which requires something much more focused and proactive. So, if you’re currently using pre-ticked boxes that give consent to any and all contact and data collection then you’re not going to make the grade. Consent must be specific and narrow – and it needs to be the result of a positive action. If you’re dealing with a minor then you must have consent from an appropriate adult.
New levels of accountability
It used to be the case that data could be collected and stored somewhere in an IT infrastructure and then either used or forgotten about. With the arrival of the GDPR this has changed dramatically. Data users now have the right to withdraw consent, for example, which means that your IT systems need to be able to action this fairly instantaneously. Data subjects also have the right to request access to the data you hold on them and also to request that you delete all record of them entirely (the “right to be forgotten”). These are – in most cases – not negotiable but is your current IT able to cope?
An increase in levels of protection
The GDPR broadens the application of protection to virtually any kind of data, from economic to social, and then adds new requirements for ensuring it is safe. For example, if your business is regularly handling sensitive data or you’re dealing in high volumes of data then your IT systems need to be fit to enable you to carry out Data Protection Impact Assessments. You may also be required to employ a Data Protection Officer, someone within the business who has the requisite level of expertise to ensure your IT and processes are regularly assessed as up to scratch.
IT security and data breaches
The GDPR significantly reduces the timescales that responsible parties have for reporting a data breach – from May onwards this will be just 72 hours. So the key question will be whether your IT is structured in such a way as to ensure that the right people are notified and the correct information gathered within that timeframe. The new regulation also places significantly more emphasis on the need for effective cyber security. If you haven’t yet carried out a full review of your IT and its security - and made changes to tighten it up - then you could risk non-compliance.
What happens if you get it wrong?
Fines have now been increased as an incentive to ensure GDPR compliance. If you fall below the standard you could face a fine of 4% of annual global turnover or €20 million, which ever is the larger. Then there’s the reputational aspect – there will be no hiding from failures such as data breaches now so client and customer trust could be easily eroded.
We make IT solutions simple – if you need assistance finding the right technology to ensure your IT is GDPR compliant we can help. Contact a member of the team to find out more.