What is GDPR?
In 1998 the Data Protection Act (DPA) was introduced by UK Parliament as the main piece of legislation to govern the processing of data on identifiable living people. However, the technology landscape has changed so much since the act was enforced, that this law is now significantly out of date and is not able to protect the individual as originally intended. A prime example would be social media sites capturing personal data, profiling it, and selling it to advertisers, without the individuals explicit consent.
However, the General Data Protection Regulation (GDPR) under EU law, which was adopted on 27th April 2016 and will apply from 25th May 2018, will supersede our Act and the Data Protection Directive from 1995, and be significantly more stringent. The main focus of GDPR will be to protect the personal data of all individuals residing within the EU, irrespective of where the company holding the data is based, and includes rules around holding, processing, profiling, maintaining and deleting that data to name a few.
For more information regarding GDPR, visit our blog.
Are you ready to comply with GDPR?
Any company that stores or processes personal information about EU citizens within EU states must comply with the GDPR, even if they do not have a business presence within the EU. Specific criteria for companies required to comply are:
- A presence in an EU country.
- No presence in the EU, but it processes personal data of European residents.
- More than 250 employees.
- Fewer than 250 employees but its data-processing impacts the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive personal data. That effectively means almost all companies.
Data mapping allows an organisation to better visualize and understand where their data is located. This involves but is not restricted to: the nature of the data, its location on the network, who has access to it, is the data securely stored, is it shared across several systems. Proper data mapping is therefore a necessity when it comes to data protection and data privacy, which are two essential parts when aiming towards GDPR compliance.
How can we help?
An audit of the data flow is a good first step to undertake in order to have a clear visibility and mitigate risks about client’s data, employee’s data and vendor’s data. It also helps to manage information assets effectively and retrieve specific data quickly. Moreover, data mapping goes hand in hand with Data Portability.
Under article 20 of the GDPR, data portability allows individuals to reuse their personal data across several IT environments. It includes the possibility to copy, transfer, and move personal data in a secure way to transmit it to other organisations if required.
GPDR compliance is important because the data needs to be structured and machine readable by commonly used software.
How can we help?
Assist with putting in place automated processes to organise and structure the data in a GDPR compliant way (database, scripting, data entry software). Putting in place “encryption tunnels” to prevent interception if the data needs to be sent from one IT system to another (from one company to another for example). Review the query for data portability to ensure it does not breach any of the GPDR articles.
SAR (Subject Assess Requests)
Under section 7 of the Data Protection Act, individuals have the right of access to personal data.
How can we help?
When preparing responses to queries about personal data access, it is important to understand what data is requested because there are several exemptions. We can help by double checking the nature of the data that is demanded, making sure that it falls in line with DPA Section 7 and preparing the exportation of the required data.
Continual Compliance Assistance
Achieving GPDR compliance is only one step of the whole process. Once this is achieved, the next step is to keep up to date with any additional articles, changes of regulations/laws but also making sure that the processes put in place remain compliant overtime.
How can we help?
Monitor the processes that have been put in place to verify that they are still enforced. Assess on a regular basis the controls that have been implemented to verify that they are functional and operational (update them if necessary and/or implement new ones if needed). Conduct regular PIA/DPIA “audits” to assess the risk of exposure of personal information and prevent data breaches.
Your priority now is to carry out an audit of all the IT systems you use to handle the personal data of individuals. From your internal CRM to your HR system to your email marketing software, all of it needs to be assessed for GDPR compliance.
We can carry out this audit for you. This is one of the advantages of using Novus to support and help your business grow. Also did we mention:
- We’re experts in IT systems with 10+ years of experience of encryption and data systems.
- We also advise on business technology, meaning we can suggest and implement the right solutions for your business, ensuring your processes are end-to end compliant with minimal disruption.
- Non-compliance can end up in big fines, and ignorance is no excuse as the ICO regulations have been circulating for some time.