By: Scott Riley, Chief Strategy Officer.
General Data Protection Regulation (GDPR) Compliancy: The Magic Bullet!
There isn’t one! I should probably end the article right there! But, we seem to be living in the old days of the ‘impressively moustached’ snake oil salesman because there’s an awful lot of miracle cures out there. I just thought it would be useful to take 2 minutes out to run through the common sense of it all because at the heart of it, this is really not a technology issue.
Notes and Caveats: I’m neither a security expert or a GDPR specialist, just a guy who sees that there’s some confusion out there… and I hope that my thoughts will prove helpful.
What is it?
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation which was adopted by the EU in April 2016 and comes into force on May 25th, 2018. It remains extant despite Brexit and will affect and apply to UK organisations. So, in translation, Brexit will not shield you from the pain to come. Sorry chaps.
In very simple terms, it significantly improves upon data protection regulations which we’ve worked with for some time like the Data Protection Act (DPA) 1998. The idea being that there would now be a single set of rules applicable for all EU member states. However, the key changes are around the accountability and evidence which businesses need to demonstrate relating to personal data, namely:
- That personal data is being stored / processed for valid & current reasons
- That personal data is being stored / processed in a secure manner
The penalties for failing to adequately secure data are severe. Sanctions can be imposed which may include:
- Warnings for the first case of non-compliance
- Regular periodic data-protection audits
- Fines to Enterprises of up to a maximum of 20,000,000 Euro (or up to 4% of turnover!)
What data does GDPR apply to?
Very similar to the DPA, the broad categories are Personal Data and Sensitive Personal Data, namely:
- Personal Data: Think HR records, customer contact info & online identifiers (for example Email or IP addresses)
- Sensitive Personal Data: Applies to special categories of data but think biometrics as one simple example
What does this all mean for EU businesses?
Much of the requirements are very much in line with the Data Protection Act (1998) so there are no real surprises, but there is a lot more rigor applied. The key difference is your accountability. Essentially, you’re not going to be able to assume that personal data is collected for valid reasons, stored securely and accessed ‘only by those who need it‘ for valid data processing reasons.
Also, please note that there is a requirement to delete the personal data once it is no longer needed for the processing activity. You also have to comply with a ‘right to erasure’… AKA the ‘right to be forgotten’ when an individual asks for their data to be erased if it’s no longer required for processing.
Going forward, you will have to prove how you comply with the principles outlined in the Regulation. You will need to evidence your policies on data handling; evidence that you are processing the data lawfully; evidence that you have consent (or preferably explicit consent) and also note that are special considerations in place for children’s personal data.
Public Organisations and Enterprises processing a certain number of data records will need to appoint a Data Protection Officer (DPO).
“The DPO is similar to, but not the same as, a Compliance Officer as they are also expected to be proficient at managing IT processes, data security (including dealing with cyber-attacks) and other critical business continuity issues around the holding and processing of personal and sensitive data.” – with thanks to Wikipedia
So what about Technology Solutions?
Sure, look, there are technology solutions which will make life easier and help you secure customer data really well. It will be no surprise to many (particularly those customers I met at Microsoft Future Decoded at ExCel, London late last year) that I’m a really big advocate of the Microsoft Cloud. Office 365 and Azure have some truly amazing capabilities, especially when you drill into the Enterprise Mobility and Security Suite (EM&S) and Azure Information Protection features. GCI has an awesome Accredited Cloud Platform in UK Datacentres which can deliver secure services.
Please come and chat over a tea sometime and we’ll show you some great case studies. They may help shape your thinking and planning… or simply give you few ideas to take away.
But, I say again, this is not a technology challenge. This is about people and process. It’s more of ‘what we’ve always needed to do’ and anyone who offers you a magic bullet technology solution is simply pulling your leg. It’s the snake oil rhetoric of a bygone age and will only serve to give you ‘rumble tum’!
For more reading on the subject, check out the Information Commissioners Office breakdown on GDPR, it’s really helpful: //ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/ alternatively, please give us a call anytime on 0333 555 9990.