A simple guide to GDPR for business

The General Data Protection Regulation (GDPR) (EU 2016/679) is a regulation by which the European Union intends to strengthen and unify data protection for individuals inside the EU. It also addresses the export of personal data outside the EU. The primary objectives of the GDPR are to give citizens back control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

Who does the GDPR apply to and when does it come into force?

The GDPR applies to both ‘data controllers’ and ‘data processors’. Data controllers say how and why personal data is processed and data processors act on the controller’s behalf. The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.

The GDPR will be applicable to most organisations that keep HR records on employees, customer lists, or other contact details etc, either digitally or manually.

The GDPR will come into force on May 2018, at which time the UK will still be a member state of the EU. In addition to this, the UK government has also announced that even after it leaves the EU the GDPR itself, or equivalent data handling principles, will still be applied to the UK.

This is necessary firstly because UK businesses handling data belonging to EU citizens will still be in scope of the Regulation even if it is processed outside of the EU. And secondly, the UK wants to enable its technology sector to continue to be able to sell into the EU in the future, for which they will require GDPR compliance. The new Regulation only allows transfer of data to third countries that demonstrate equivalent data protection laws

What information does the GDPR apply to?

The GDPR applies to ‘personal data’ relating to identifiable EU citizens, including names, ID number, location data, contact data and online identity. The GDPR’s definition makes it clear that information such as an online identifier – e.g. an IP address – can be personal data.

The GDPR also refers to sensitive personal data as “special categories of personal data. The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual.

The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible. This could include chronologically ordered sets of manual records containing personal data.

What are the GDPR data handling principles?

The GDPR creates some new rights for individuals and strengthens some of the rights that currently exist under the UK’s own Data Protection Act.

All personal data collected must be gathered lawfully and for specific purposes only. It must only be used for the purpose for which is was collected and is must be accurate.

The GDPR provides the following rights for individuals:

1. The right to be informed
2. The right of access, via a subject access request
3. The right to rectification
4. The right to erasure, the right to be forgotten
5. The right to restrict processing
6. The right to data portability
7. The right to object
8. Rights in relation to automated decision making and profiling.

What is a personal data breach?

A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data. It could also result where personal data has been inappropriately access accessed due to a lack of appropriate internal controls.

What breaches does a company need to notify the relevant supervisory authority about?

You only have to notify the supervisory authority of a breach where it is likely to result in a significant detrimental effect on individuals – for example, result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.

This has to be assessed on a case by case basis. For example, you will need to notify the relevant supervisory authority about a loss of customer details where the breach leaves individuals open to identity theft. On the other hand, the loss of a staff telephone list, for example, would not normally meet this threshold.

How do I notify a breach?

A notifiable breach has to be reported to the relevant supervisory authority within 72 hours of the organisation becoming aware of it. The GDPR recognises that it will often be impossible to investigate a breach fully within that time-period and allows you to provide information in phases.

If the breach is sufficiently serious to warrant notification to the public, the organisation responsible must do so without undue delay.

Failing to notify a breach when required to do so can result in a significant fine up to 10 million Euros or 2 per cent of your global turnover.

If a company does have to notify a breach, within the company. To the regulatory authority and even to customers, then an emergency notification system such as Crises Control can help you to manage this crisis event quickly and securely, making sure that the regulatory deadlines are met and fines are avoided.

What happens if businesses do not comply with the data handling principles?

The consequences of breaching the Regulation are game changing. The maximum financial penalty for non-compliance will be 4% of annual revenue or €20 million, whichever is the higher.

What steps do businesses need to take now?

The GDPR shifts the goalposts for businesses because it represents a fundamental change to the risks associated with data protection and the consequences of a data breach. This means that, if as a business you hold or process personal data, starting right now you need to know exactly what impact GDPR will have on your business.

Companies must make sure that their staff understand what constitutes a data breach. They should have an internal breach reporting procedure is in place. This will facilitate decision-making about whether they need to notify the relevant supervisory authority or the public.

In light of the tight timescales for reporting a breach - it is also vitally important to have robust breach detection and investigation procedures in place. This is where a behavioural monitoring tool like ThreatSpike can help companies to mitigate the potential for an insider data breach and also discover where one has already taken place.

Of course, the best defence against all of this is to take steps to improve the security of the company so that a successful cyber attack becomes less likely. These could include:

  • Train your employees and create awareness of security policies and a security culture
  • Ensure that your office physical security is adequate
  • Implement a strong password policy with regular changes
  • Implement nee security patches as soon as they become available