GDPR - Challenges and Implications
The General Data Protection Regulation (GDPR) is the new EU regulation which is designed to strengthen data protection at organisations which hold or process the personal data of EU citizens.
The regulation is due to come in to effect on 28th May 2018, meaning that organisations have just over 12 months to ensure that they are compliant.
Harmonisation Across the EU
The regulation is intended to establish a single set of rules across Europe. The thinking behind this is it will make it simpler and cheaper for organisations to do business across the Union. It is important to note that organisations outside the EU are also subject to the regulation, just by collecting data concerning an EU citizen. Despite Brexit, the UK will be implementing the GDPR.
The GDPR will apply to a large number of industries across the globe, with almost all sectors being affected by the regulation. Industries that process huge amounts of sensitive customer data such as the legal and financial industries, as well as social media, creative and telecommunication agencies, are all at high risk. SME’s in particular must also pay great attention to the regulation, as traditionally they lack the stringent security measures required to keep data safe from an external breach.
GDPR – Key Challenges
Under the GDPR some of the key challenges for business include:
Expanded Rights of Data Subjects - The strengthened data protection rights under GDPR give data subjects more control over their personal data. When initially gathering personal information, consent must be given by the individual for their details to be processed by the organisation who wishes to use it. Data subjects will also be able to ask whether personal data concerning them is being processed, where it is held, and for what purpose. Finally, an individual will also have a right to be forgotten, whereby at any time, they can ask to have all information about them completely erased.
Fines - When GDPR is implemented, there will be a substantial increase in fines for organisations who do not comply. In the UK, the power to issue fines will sit with the Information Commissioners Office (ICO). Fines will range from 4% of global revenue or up to €20 million, whichever is the greater. In Oct 2016, the ICO issued a fine of £400,000 to Talk Talk for their 2015 data breach. Under the GDPR 4% Global Revenue Rule, that fine would total £72 million.
Breach Notification - When GDPR is enforced, breach notification will become mandatory. A breach may take place in a variety of different ways, for example, accidental data disclosure by a staff member, cyber-attack resulting in data theft or malicious data sharing by a disgruntled employee. Whatever the event, all breaches must be reported to the supervisory authority - which in the UK will be the ICO – within 72 hours. If reported outside of this timescale, a further fine will be issued. However, there are some exceptions to this requirement. If you can show that the personal data was subject to technological protection measures rendering it unintelligible to unauthorized people (e.g. encryption), you don't need to notify affected data subjects of the breach.
Implications - In the lead up to the implementation date, many organisations will need to plan and modify their systems and operations in order to achieve compliance. Initially businesses will need to understand where all of their data is stored as well as how to manage the consent process. Further to this, organisations will need robust technology and security in place which has the ability to scale and protect all of the data which is in its possession.
To find out more about GDPR and how Information Technology can help you prepare for this regulation, view our GDPR web page
or view our data sheet below
About Stack Group
Founded in 1979, profitable and growing, The Stack Group provide a comprehensive range of IT services and solutions from cabling through to cloud services.
Our offerings encompass all aspects of business continuity, virtualisation, data storage, networking and security. With two wholly-owned, UK-based, ISO27001 accredited datacentres, all of our vSTAX® cloud solutions are industry certified and comply with EU regulations.
From our office locations in Liverpool and London, we provide leading edge technologies to client locations across the UK.