GlobalSign. GDPR Regulations and What It Means for Your Business Data
For most modern businesses, data is their most important asset. In terms of commercial operations, data forms the basis for driving sales and marketing, enables you to keep in touch with customers and allows you to store information about your workforce. But as the famous saying goes; with great power, comes great responsibility.
Data protection has taken on a new and sharper edge in our increasingly sophisticated digital age. Greater provisions of corporate cybersecurity and the new GDPR directive are the best way to keep one step ahead of any possible cyber-attacks. This puts the onus firmly on individual companies to safeguard the personal data they hold on their systems and to use them responsibly.
The alternative doesn’t bear thinking about. Every time a high profile data breach comes to light, it is brought home just how quickly vulnerable systems and protocols can be exploited, with potentially disastrous results in terms of misuse of data, fraud and identity theft. For your organization, this will also mean heavy fines, compensation payments and reputational loss.
If proof were needed, just take the recent spectacular attack on NHS, FedEx and computer systems as far away as Russia, Taiwan and India reported by The Telegraph as ‘the biggest ransomware offensive in history’.
What Legislation Do You Need to Comply With?
Currently, all UK businesses must comply with the Data Protection Act 1998. This will be superseded by the General Data Protection Regulation (GDPR), an EU wide law that comes into force in May 2018 and will apply to all businesses in the UK, Brexit notwithstanding.
The principle behind GDPR is that increased data protection will be achieved with greater responsibility placed on individual companies to comply, given extra teeth through large fines imposed for non-compliance up to a maximum of €20 million. Businesses wishing to collect, store and/or use personal data will be required to register with the Information Commissioner’s Office (ICO).
What Are the Key Points of GDPR?
Under GDPR, personal data is defined as anything that can be used to identify an individual person. This includes personal details such as names, email addresses, IP addresses, telephone numbers, GPS data, birth dates and health information.
Briefly, the GDPR legislation stipulates that it is your duty to:
- Collect, store and use data appropriately and with good reason.
The data in question must form part of a client contract or the client must otherwise have given their explicit authority for their data to be processed.
- Utilise data lawfully and for specified purposes.
Data must only be used in a reasonable and transparent way, and a privacy policy should be in place that can be easily accessed by the client.
- Hold sufficient but not excessive amounts of data for the specified purpose.
Only keep as much personal information on individuals as is needed, making it a policy to destroy any irrelevant or excessive data.
- Ensure personal data is always accurate and kept up to date.
You should take all reasonable steps to ensure all personal information kept on record is regularly screened and updated or deleted.
- Destroy any personal data that is no longer needed.
While there is no minimum or maximum length of time that you are permitted to keep data, you should take steps to destroy any data that has fulfilled its purpose.
- Protect any personal data stored by your organization.
You must make sure robust procedures and processes as well as adequate technical resources are put in place to safeguard data from being compromised and be ready to respond to any data breaches.
- Comply with enhanced individuals’ data rights.
Under GDPR, individuals have the right to be informed, the right of access, the right to rectification, erasure, restrict processing, data portability, object and rights in relation to automated decision making and profiling. Companies have one month to respond to requests.
- Take active measure to show compliance.
Data protection measures should be built into corporate processes through a range of accountability tools including data protection policies, training and reviews.
With GDPR promising to be the biggest Europe wide shakeup in data protection laws for two decades, businesses will find that the way they hold and handle personal data will now come under increasing scrutiny. And with huge fines to the tune of to 4% of annual worldwide turnover to back up any transgressions, you should ignore GDPR at your peril.
You can read the original article, here.