The new data regulation plan of the European Union is set to hit in May 2018. If you do business online or have any web presence at all, it’s in your best interest to understand a bit more about what this entails.
Not familiar with the GDPR yet? Then let’s get you up to speed. This refers to the EU General Data Protection Regulations (GDPR). The Data Protection Act currently in place will be replaced. This is going to allow people to have more control over their data and have a say in what companies will be able to do with it. The data protection rules of the entire EU will be unified, and businesses that don’t comply will face serious fines. The regulations even honour the right to “be forgotten” and will allow more finely tuned consumer consent and rules for access. Breach reporting within 72 hours will also be part of the new system.
If you think this is the last of your worries because you’re outside of the EU, think again. If you deal with anyone that does live in the EU, you’ll be subject to the new rules. It’s especially important to know this if you deal with any business within that particular marketplace.
With the expanded jurisdiction that the GDPR will bring forth, the entire landscape of data privacy regulations will change. Just consider the following statements:
The GDPR will apply to an organisation within the European Union, as well as organisations from elsewhere if they are offering any services or goods to potential EU data subjects. Even those monitoring the behaviour of anyone within the EU must comply. The location of the company is of little consequence. Every company throughout the world will be held accountable and subject to all fines if they do not honour the regulations being set forth.
This marks a major change for the world at large. It doesn’t matter if you’re an employee, employer, or have your own business. It’s important to know as much about GDPR as possible. If you aren’t sure exactly how the changes will affect your business, in particular, it’s probably best you confer with a GDPR consultant.
The GDPR is set to take effect on the 25th of May in 2018. It’s not that far off as of the writing of this article. So, it’s important to start getting ready.
The more data you have to deal with from one day to the next or the higher your position within your company, the more integral it is for you to follow all of the new rules. Employers are going to need to double their efforts in order to comply. If you face any auditing in the future after GDPR, you will face incredible scrutiny if you happen to play a key role in your organisation.
There are several key points that you’re going to need to follow in order to take all of the proper measures. Your first step will depend on your current role. If you have your own business, you need to do whatever possible to remain compliant with the rules. If you’re an employer, you need to secure the same for yourself and your employees alike. As an employee, you should also make sure that your company is complying to avoid being held accountable in the future.
Even charitable organisations must be compliant with the GDPR. Any data collected must be given with full permission. You should also be sure not to look at any data without permission or legitimate reasoning. It may seem the worlds gone mad, but it’s become increasingly important to reduce the risks of information falling into the wrong hands.
If you’re an employer, you need to restrict access to any data your company has collected. Only those that have the right to look at any data and are sure to treat it responsibly should be given access. If you can cut down on the amount of people looking into your data, leaks or problems like identity theft will be less probable.
If there’s actually some reason why you’d need to access your data, there’s an important question that you should be asking yourself. Do you really need to make a record of the data by writing it down or downloading it? If you can safely answer no, make sure to avoid doing so!
If you store data, you’re only increasing all of the risks that come along with doing so. Compromised information may follow suit, and a mountain of problems tend to present themselves from there. Any data that has been retained without a legitimate reason will get you into quite a bit of hot water.
All data that is collected should also be kept in one location so that it can be kept track of. It’s important that information can be provided about it down the road. If you’re an employee of a company, it’s in your best interest to find out what sort of information is being stored there. Be sure to make a push for every measure to keep it safe. Employers can also make great strides towards compliance by discussing the exact information your company is gathering in an open manner with your GDPR consultant. It’s best to check if you really need the info in the first place.
GDPR training may be necessary to help make sure your organisation is handling all of its sensitive data properly. The guidelines may be updated over time as well, requiring routine checkups to make sure everyone is on the same page. Courses can be taken online or through a GDPR consultant.
It’s important as an employer that you facilitate a full knowledge of the new rules. This is truly the best way to assure your overall compliance. If possible, try to make sure you offer refresher courses at least once a year. Some organisations may put the responsibility on the employees to remain up to date, but you may as well provide mandates from the top down to avoid trouble in the future.
Training may be considered optional to some, but it would be a truly bad idea not to spread as much education about the matter as possible. There will be ample GDPR guidance materials such as handbooks and online instructions. It’s best to take full advantage of them and get everyone on the same page as soon as this information becomes available.
Thanks to our increased computer usage, most people have more than their fair share of passwords to juggle. The temptation is obviously there to make them simple to remember and then use the same word or string of numbers for every single account. If you’re responsible, you’ll avoid this at all costs.
Make sure you always change any default passwords you’re given and make them completely unique. Some great guidelines to follow are including at least 8 characters with a mixture of lower and uppercase letters, numbers, and even punctuation marks if possible. Each of your passwords should also ideally be different from one another. If you’re an employer, make sure your login system checks for weak passwords and blocks them out.
If possible, make sure you turn on “two-factor” authentication for your accounts as well. Not every service uses this, but it’s incredibly handy. This way, you’ll receive a notice on your phone or e-mail if one of your accounts is being accessed from elsewhere.
It isn’t easy to keep up with a wealth of different passwords of course, but it’s mandatory. If you want, you can make your life a bit easier by using a password manager program like Zoho Vault. It’s much safer to keep track of them personally however.
Any device that’s used for your business needs to be secure. Do whatever has to be done to do so. USB drives, phones, laptops, and other digital storage all need security. Encryption is the best route to take when facilitating this.
Encryption will give you multiple levels of security. The strongest forms of encryption cost more, but try not to go too cheap if you can help it. Your GDPR consultant will likely have information to help you determine the best option for your needs.
Employers need to make sure that their employees’ devices are checked by an IT expert for security. Paper records need to be kept secure as well. It’s important that they are kept in a safe location and locked up until needed.
E-mails are another area in which security is crucial. Many data leaks have gone through thanks to poor e-mail server encryption. People tend to have plenty of data hidden in their e-mail history. With all of this in mind, it’s a good idea to use a reputable e-mail service and make sure every message going through is well protected. Each employee of a company should also archive their messages as carefully as possible. This will be especially useful if any particular information in reference to a former customer needs to be deleted.
GDPR refers to what is called pseudonimisation.
Which simply means a way to stop data transfer from being accessed without some form of encryption. This might be in the form of a unique reference ID for someone’s name if you were storing this information in a database. With a separate table of names that correspond to the reference ID stored on another system and by using both tables to recreate the data. If a data breach occurred and personal data was stolen from the transfer the theory behind it is that the data wouldn’t expose actual names but a reference ID.
Websites that use HTTPS send data over an encrypted connection so you could say that if your website has an SSL certificate you’re on your way to GDPR compliance. This would certainly cover the data transfer part but would not cover a database breach unless this was encrypted also. This is the most ambiguous part of the GDPR as it relies (to a certain degree) on how you interpret pseudonimisation. An often mentioned example of pseudonimisation is encryption whereby data is held in an encrypted fashion and requires a key (stored separately) to decrypt it.
If you don’t need a piece of data any longer, it’s time to get rid of it. It’s also important to note that deleting something from a drive doesn’t necessarily mean it’s all gone. Data can be restored from hard drives and USB sticks quite easily. Consult with your tech support team to learn how to get rid of data for good.
Paper records should also be discarded as thoroughly as possible. Have them shredded professionally rather than merely thrown out.
It’s also important that clients are given a say in how their data will be stored. They should have the right to say when it is gotten rid of as well. Every company will need a system in place to deal with the customers’ needs on all fronts. If you can get rid of data you don’t need in the first place, you’ll be in much better shape since there are fewer risks involved.
If complying with the GDPR feels like trying to hit a moving target, that’s because personal data is, in fact, frequently moving – and that makes it more difficult to identify and protect. You can use a number of technologies, such as encryption and pseudonimisation, to help keep data private whether it is at rest or in transit, but it’s essential that you know your options and choose carefully.
Here are 3 useful resources produced by the information commission office (ICO) which you may find useful for a deeper understanding of GDPR: