OX IT Solutions Ltd

01865 594 930

One of our representatives will be happy to help. Call us at

GDPR

The EU General Data Protection Regulation

The EU General Data Protection Regulation (GDPR) has significantly reshapes the data protection landscape for organisations worldwide that collect and process the data of European residents.

 

The Regulation imposes fines up to 4% of annual global turnover or €20 million (whichever is higher), grants extended rights to data subjects and allows data subjects to bring legal action against organisations in case of data breach.

 

The GDPR was enforced on 25 May 2018. UK organisations that process the personal data of EU residents need to ensure that they are compliant.


The Key Changes introduced by the Regulation

The GDPR has introduces a number of key changes for organisations. For more information please visit IT. Governance.co.uk.

 

IT Governance


If your business is not in the EU, you will still have to comply with the Regulation Non-EU organisations that do business in the EU with EU data subjects' personal data should prepare to comply with the Regulation. Those providing products or services to EU customers or processing their data may have to face the long arm of the law if an incident is reported.

The definition of personal data is broader, bringing more data into the regulated perimeter Data privacy encompasses other factors that could be used to identify an individual, such as their genetic, mental, economic, cultural or social identity. Companies should take measures to reduce the amount of personally identifiable information they store, and ensure that they do not store any information for longer than necessary.

Consent will be necessary for processing children’s data Parental consent will be required for the processing of personal data of children under age 16. EU Member States may lower the age requiring parental consent to 13.

The rules for obtaining valid consent have been changed The consent document should be laid out in simple terms. Silence or inactivity does not constitute consent; clear and affirmative consent to the processing of private data must be provided.

The appointment of a data protection officer (DPO) will be mandatory for certain companies Article 35 of the GDPR states that data protection officers must be appointed for all public authorities. In addition, a DPO will be required where the core activities of the controller or the processor involve “regular and systematic monitoring of data subjects on a large scale” or where the entity conducts large-scale processing of “special categories of personal data”.

 

Firms whose core business activities are not data processing are exempt from this obligation.

 

The GDPR does not specify credentials necessary for data protection officers, but does require that they have “expert knowledge of data protection law and practices.”

Mandatory Data protection impact assessments have been introduced A risk-based approach must be adopted before undertaking higher-risk data processing activities. Data controllers will be required to conduct privacy impact assessments where privacy breach risks are high to analyse and minimise the risks to their data subjects.

There are new requirements for data breach notifications Data controllers will be required to report data breaches to their data protection authority unless it is unlikely to represent a risk to the rights and freedoms of the data subjects in question. The notice must be made within 72 hours of data controllers becoming aware of it, unless there are exceptional circumstances, which will have to be justified.

 

Where the risk to individuals is high, then the data subjects must be notified, although a specific timescale is not specified by the Regulation.

 

Regular supply chain reviews and audits will be required to ensure they are fit for purpose under the new security regime.

Data subjects have the right to be forgotten Data subjects have the “right to be forgotten”. The Regulation provides clear guidelines about the circumstances under which the right can be exercised.

There are new restrictions on international data transfers Since the Regulation is also applicable to processors, organisations should be aware of the risk of transferring data to countries that are not part of the EU. Non-EU controllers may need to appoint representatives in the EU.

Data processors share responsibility for protecting personal data Data processors will have direct legal obligations and responsibilities, which means that processors can be held liable for data breaches. Contractual arrangements will need to be updated, and stipulating responsibilities and liabilities between the controller and processor will be an imperative requirement in future agreements. Parties will need to document their data responsibilities even more clearly, and the increased risk levels may impact service costs.

There are new requirements for data portability Data portability will allow a user to request a copy of personal data in a format usable by them and electronically transmissible to another processing system.

Processes must be built on the principle of privacy by design The GDPR contains requirements that systems and processes must consider compliance with the principles of data protection. The essence of privacy by design is that privacy in a service or product is taken into account not only at the point of delivery, but from the inception of the product concept.

 

There is also a requirement that controllers should only collect data necessary to fulfil specific purposes, discarding it when it is no longer required, to protect data subject rights.

The GDPR is a one-stop shop A new one-stop shop for businesses means that firms will only have to deal with a single supervisory authority, not one for each of the EU’s 28 member states, making it simpler and cheaper for companies to do business in the EU. This will also have a positive impact on Internet service providers with offices in several EU countries.

Resources

We've complied a list of useful resources about GDPR. We can assist you from a security aspect to make sure you are taking the correct measures to secure and protect your data. We also strongly recommend seeking legal advice in order to comply with the new regulation. All information below sourced from IT Governance.

 

Data Protection Act (DPA) and EU GDPR Penalties - Compliance with data protection legislation is not just a matter of best practice; the penalties for non-compliance are serious – and are about to become a lot worse. DPS PENALTIES
Free Green Paper download: EU General Data Protection Regulation - A Compliance Guide DOWNLOAD GREEN PAPER
GDPR Training Courses - Effective GDPR compliance begins with professional training VIEW TRAINING COURSES
How ISO 27001 can help you comply with data protection law - ISO 27001, the international information security standard LEARN ABOUT ISO 27001
News article from ITPro - How to get ready for GDPR: 2018 data protection changes READ THE NEWS ARTICLE

 

The Brexit Questions

The GDPR, like all EU regulations, applies directly in the UK with all the authority of a domestic law. When the UK leaves the EU, the EU GDPR will no longer directly apply. However, its requirements will still be part of UK law. You can find out what will happen to data protection law in the UK after Brexit >>

 

DATA PROTECTION Law & BREXIT


Infographic - What the new EU GDPR means in 1 minute

The EU General Data protection Regulation will increase privacy for individuals and give regulatory authorities greater power to take action against businesses that breach the new laws. Here's what it means for your business.

 

Download our Infographic - What the new EU GDPR means in 1 minute.


DOWNLOAD INFOGRAPHIC

 

How we can help Secure your data

To become GDPR compliant is an incredibly complex subject and we are here to help get you on the right track. We've complied a list of useful resources that can assist you with further information about GDPR. In line with this, we have listed areas below that we can assist you with securing data held within your company.


Here are a few key questions/areas of concern about your data and a list of solutions we offer to help you become compliant.


If you would like any further information on the products we offer, please get in touch.


Key Questions/Areas of Concern
Solutions

How is data protected within your organisation?

File and folder encryption
Are you running a security suite capable of controlling and monitoring the flow of data? Device Control and DLP with centralised reporting and policies.
Do you have all personally identifiable data on removable devices encrypted Drive Encryption and USB encryption.
Are there products in your current suite that could simply be enabled to encrypt and control data within the organisation Most customers are already licenced for Device Control and don’t realise.
Would you like to start by looking at Device Control, encryption  and DLP Device Control, encryption  and DLP
Are you Enforcing Encryption policies We can help with this and advise on products for endpoint and e-mail encryption.
Do you report on data breaches IPS Appliances and centralised reporting on the endpoint products would be extremely beneficial in this area.

 

CONTACT US

Do you know about our Remote Cyber Security Review?


Is your security solution performing as it should be?

Our Security Review has been created to protect our customers starting with a review of your existing security implementation to discover gaps in your protection, reduce operational costs, enforce compliancy, employ best practices and advise on your upgrade requirements.