General Data Protection Regulation (GDPR): Is your business prepared? MWL Systems

Transcription

1 General Data Protection Regulation (GDPR): Is your business prepared? MWL Systems

2 From May 2018 new data protection regulations will come into force which will significantly impact on the procedures used for the processing of data. The new regulations will apply to all businesses operating within the European Union and those working with data from EU states; this means that these new regulations will still apply post-brexit. With very little time left until GDPR is introduced, businesses that haven t already done so, must prepare for how these changes will affect their processes. What is GDPR? GDPR will cover the secure collection, storage and use of all personal information held by businesses of all sizes. Businesses will be required under GDPR to clarify precisely what data has been collected, how it will be stored and what it will be used for, to both regulatory bodies and the individuals themselves. Why is GDPR needed? Inconsistent regulations Current regulations under the Data Protection Act are extremely inconsistent across EU member states, with strict enforcement in some and relatively lax enforcement in others. GDPR will provide consistent regulations, enforcement and reporting across the European Union, thus ensuring individuals data is thoroughly protected. Cyber security Recent years have seen a massive increase in cyber attacks and cyber security related issues amongst the business community, with 74% of UK SMEs experiencing security breaches in As a result of this, data is at constant risk. Subsequently businesses must put adequate procedures in place to ensure data is securely and legally gathered, used and stored.

3 What do businesses need to consider? Consent In order to lawfully process data, businesses must gain adequate consent from individuals. GDPR aims to provide individuals with substantially more control over their own data and how it is used by businesses. Guidance on consent includes: Businesses must explicitly ask an individual for use of their data this requires an individual to actively choose to give consent (i.e. pre-ticked opt-in boxes will not be accepted; the individual must physically tick the box). It should be made clear to individuals what their data will be used for. A record must be kept of the individual s data, when it was gathered and how it was gathered, as well as a record of any third parties that have also been party to the data. Requests for data must be straightforward, not confusing or ambiguous. The process for which individuals can withdraw consent at a later date must be clearly outlined at the outset. Data that is to be used for multiple purposes must have consent for each individual aspect. Consent should not be bundled in with a business Terms and Conditions, it should require an entirely separate method of acceptance. Breaches of data A breach in data is defined as the destruction, loss, alteration, unauthorised disclosure or unlawful access to an individual s personal data. As current regulations across the EU are inconsistent, GDPR will introduce a clear and uniform process across the board, for notifying breaches in data. Under GDPR, businesses will now be required to report breaches of data to the appropriate supervisory authority within 72 hours of learning of said breach. Businesses must provide details on the nature of a breach, the number of people that have been affected and the adequate contact information.

4 Consequences of non-compliance Alongside stricter regulations for data protection, GDPR will also come with a substantial increase in noncompliance penalties. Repercussions will come in two separate tiers, depending on the seriousness of a breach by an organisation: What can businesses do to prepare? all current processes for 1. Review collecting, storing and using data and ensure that they fall in line with GDPR regulations prior to it commencing. to record data operations and 2. Begin activities so that that you have a thorough history in preparation for May your business or organisation has 3. Ifmore than 250 employees the new regulations will require you to have a designated data protection officer. your staff on both data and 4. Educate cyber security processes. Tier 1 Those organisations that are hit with a tier 1 penalty will have breached data protection in a manner that is deemed to have put highly important data at risk. This will result in a fine of up to 20 million or 4% of an organisation s previous year s global annual turnover (whichever is the greatest). Tier 2 Other data breaches will result in a fine of up to 10 million or 2% of the previous year s global annual turnover (whichever is the greatest). your cyber security processes 5. Review so that if they are found to be lacking, they can be rectified. an incident response plan in 6. Put place and ensure all staff understand the implications and how to put it into practice.

5 How can MWL Systems help? Here at MWL Systems, our team are experts in reviewing and implementing effective cyber security and data protection measures within businesses. Not only do our services prepare businesses for this substantial change, but also that they are fully protected from any potential threats that cyber crime poses. To ensure your business can attest to being fully compliant with GDPR come next May, get in touch with MWL Systems to take advantage of our effective services