What is GDPR?

The General Data Protection Regulation (GDPR) is a European privacy law that will take effect as of 25 May 2018. The GDPR has stated that all companies take the data they hold seriously, and make changes to protect themselves from privacy and data breaches. It has been designed to unify data privacy laws across Europe and reshape the way organisations approach data privacy. The law will increase penalties and fines on businesses that have a data breach and fail to protect data adequately.

Who does GDPR apply to and what are some of the key changes?

  • UK organisations handling personal data will still need to comply with the GDPR, regardless of Brexit. The GDPR confirmed by the government and Information Commissioner, will come into force before the UK leaves the European Union.
  • If your business suffers a breach and cannot demonstrate efforts were put in to protect your customers’ data, you could face a fine of up to £20m or 4% of your annual turnover – whichever is greater.
  • Companies are encouraged to have a Data Protection Officer (DPO). The DPO will be responsible for creating access controls, reducing risks of data breaches, ensuring compliance via audits, and even helping you to implement a good data security strategy. This responsibility may fall under the remit of someone at a senior level in your company, i.e. the Financial Director or IT Director
  • If your business gets hacked, you will need to notify the Information Commissioner’s Office (ICO) within 72 hours of the breach and your hack will become public information.
  • Right to Access: if a consumer asks for access to their data, you have 40 days to complete the request and disclose the information, with no fee.
  • Right to be Forgotten: consumers have the right to request their data to be completely erased.
  • Data Portability: consumers have the right to receive the personal data concerning them and be able to pass on that information.
  • Increased territorial scope: this means data will include a whole range of information such as, photos, social media profiles, bank details, IP addresses etc.

Treat GDPR as an opportunity…

Getting hacked in today’s climate is no longer a matter of if, but when. 1 in 5 UK companies were hit by cyber attacks in the last 12 months. The worrying thing about this statistic is that we can all fall foul of assuming it won’t happen to us.

But you shouldn’t feel frightened by the GDPR; ultimately it enables us to do more with our data in a way that is responsible and accountable.

Data is the most important asset we have, so by securing your data you will minimise the risk of being breached. The sooner you implement a data protection strategy that includes things like encryption, firewalls, and anti-malware security, the less likely you are in becoming part of that 20% statistic.

Companies that can demonstrate efforts and are actively working toward protecting data, i.e. by working with third party providers, will be recognised by the ICO as being committed to privacy. This may prevent your business from being fined in case of a hack.

How can my business align itself with a data protection strategy?

To prepare for the upcoming regulation, we at T-Tech are encouraging our customers to review their current position, and recommending they make security changes. We have a variety of solutions that will leave our customers well equipped.

These include:

  • A full IT infrastructure audit
  • Manual external and internal penetration tests
  • Staff security awareness training
  • Email phishing assessment
  • GDPR audit, and more.

We also want to influence our customers to become Cyber Essential Plus Certified, which will help to control and manage the risk.

Taking a comprehensive approach will not stop hackers, but it will put you ahead of many other companies. This will set you up on the right path to being protected, both from a data and bottom line perspective.

(Disclaimer: This information is for general guidance and is not legal advice. If you need legal advice about what action to take, please contact an adviser or solicitor)