A simple guide to GDPR for business

The General Data Protection Regulation (GDPR) (EU 2016/679) is a regulation by which the European Union intends to strengthen and unify data protection for individuals inside the EU. It also addresses the export of personal data outside the EU. The primary objectives of the GDPR are to give citizens back control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

GDPR Business

The GDPR applies to both ‘data controllers’ and ‘data processors’. Data controllers usually own the data and data processors handle data on the controller’s behalf. The GDPR applies to data processing carried out within the EU. It also applies outside the EU when goods or services are offered to individuals inside the EU.

The GDPR applies to HR records on employees, customer lists, or other contact details, held either digitally or manually.

The GDPR will come into force on May 2018, at which time the UK will still be a member of the EU. The UK government has also announced that even after it leaves the EU the GDPR itself, or equivalent data handling principles, will still be applied to the UK. This will enable the UK technology sector to continue to exchange data with the EU in the future. The new Regulation only allows transfer of data to third countries that demonstrate equivalent data protection laws

The GDPR applies to ‘personal data’ relating to identifiable EU citizens, including names, ID number, location data, contact data and online identity. The GDPR’s definition makes it clear that information such as an online identifier – e.g. an IP address – can be personal data. The GDPR also includes sensitive personal data, including genetic data, and biometric data where this can identify an individual.

The GDPR applies to both automated personal data and to manual paper filing systems where personal data are accessible. This could include chronologically ordered sets of manual records containing personal data.

The GDPR creates some new rights for individuals and strengthens some of the rights that currently exist under the UK’s own Data Protection Act.

All personal data collected must be gathered lawfully and for specific purposes only. It must only be used for the purpose for which is was collected and it must be accurate.

The GDPR provides the following rights for individuals:

  1. The right to be informed
  2. The right of access, via a subject access request
  3. The right to rectification
  4. The right to erasure, the right to be forgotten
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling.
A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is not just losing personal data. It could also result where personal data has been inappropriately access accessed due to a lack of appropriate internal controls.

A business has to notify the relevant supervisory authority of a breach where it is likely to result in a significant detrimental effect for individuals – for example, resulting to discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.

This has to be assessed on a case by case basis. For example, you will need to notify the relevant supervisory authority about a loss of customer details where the breach leaves individuals open to identity theft. On the other hand, the loss of a staff telephone list, for example, would not normally meet this threshold.

A notifiable breach has to be reported to the relevant supervisory authority within 72 hours of the organisation becoming aware of it. The GDPR recognises that it will often be impossible to investigate a breach fully within that time-period and allows you to provide information in phases. If the breach is sufficiently serious to warrant notification to the public, the organisation responsible must do so without undue delay.

If a company does have to notify a breach, internally, to the regulatory authority and even to customers, then an emergency notification system such as Crises Control can help you to manage this crisis event quickly and securely, making sure that the regulatory deadlines are met and fines are avoided.

The consequences of breaching the Regulation are game changing. The maximum financial penalty for non-compliance will be 4% of annual revenue or €20 million, whichever is the higher.

Every business needs a document management system that allows them to record, store, find and delete data quickly and easily. That is where Intelefile can help.

The GDPR shifts the goalposts for businesses because it represents a fundamental change to the risks associated with data protection and the consequences of a data breach. This means that, if as a business you hold or process personal data, starting right now you need to know exactly what impact GDPR will have on your business.

Companies must make sure that their staff understand what constitutes a data breach. They should also have an internal breach reporting procedure in place to facilitate decision-making about the need to notify the relevant supervisory authority or customers. The Transputec Academy can assist with the training and accreditation necessary for GDPR.

In light of the tight timescales for reporting a breach – it is also vitally important to have robust breach detection and investigation procedures in place. This is where a behavioural monitoring tool like ThreatSpike can help companies to mitigate the potential for an insider data breach and also discover where one has already taken place.

Of course, the best defence against all of this is to take steps to improve the security of the company so that a successful cyber attack becomes less likely. These could include:

  • Train your employees and create awareness of security policies and a security culture
  • Ensure that your office physical security is adequate
  • Implement a strong password policy with regular changes
  • Implement new security patches as soon as they become available