If you hold data on individuals, you will be affected when the Data Protection Act is replaced by the General Data Protection Regulation. This change will bring significant implications to any businesses processing personal data, particularly those with e-commerce, marketing, retail and wholesale operations.
The EU GDPR directive which comes into force on the 25th May 2018, aims to protect privacy and personal data with clear penalties for those who contravene the legislation.
Surprisingly, 44% of IT professionals are uninformed of these new rules according to Computer Weekly, and in our experience, very few companies we have talked with have even heard of the impending General Data Protection Regulation.
The changes are significant and compliance will be challenging without data systems that provide key GDPR functionality.
What is "Personal data"?
This act covers all data and meta-data held about employees, prospects, customers, suppliers or anyone else, where they are referred to as an individual, opposed to a company.
Post-Brexit - does this still matter to me?
When the directive comes into force in 20 months, the UK will still be governed by EU regulations. At a point when the UK leaves the EU, the GDPR directive will be used by the UK as a base for writing a replacement data protection directive. What's more, if UK organisations intend to trade with EU organisations, they will need to adhere to the GDPR.
How does GDPR differ from the current Data Protection Act?
The key changes include:
A company must delete data if no longer used for the purpose it was collectedThe subject has the right to be erased if requestedFirms handling a large amount of data, or sensitive data must appoint a data protection officer (DPO)All businesses in the EU must be complaint, as must companies trading with EU organisationsWhen data is collected, the purpose of this must be made clearData on loan
To understand the principles behind GDPR, you need to consider that any data that you hold has been loaned to you by the owner, and they are in control of who has it and what they do with it. Consent must be freely given for the use of any personal data and the use for this must be made clear.
Technical measures
Organisations should not underestimate the task of controlling data in line with the GDPR and appropriate database functions will be required by anyone with any volume of records. To implement compliance within a database system, the following functions will need to be implemented:
Encryption
The technical measures required to maintain compliance will include installing and maintaining security systems such as firewalls and regular software updates, and encryption of mobile devices and stored data.
Tokenization
To address the requirement of data erasure whilst maintaining database integrity can be addressed through tokenization of data. This is the process of substituting personal data with a 'token' such as a number or pseudonym to remove individual identifiers, allowing transactional data to remain while adhering to General Data Protection Regulations.
Portability
A further technical requirement of GDPR is the right to portability. To comply, data must be made available in a manner that can be loaded into alternative systems. To meet this requirement, Open Standards should be used where they exist, and it is likely that this requirement will generate future open standard data interchange formats. Within this scope is not only the textual data but other files, documents and images.
What to do now:
Start with adding GDPR non-compliance to the risk registerAssess the overall impact of GDPR on your businessInvestigate legal implications for your organisationMake sure your team is aware of the GDPR directiveReview and update privacy noticesCreate a GDPR compliant process for data access requestsEnsure you can erase personal data without damaging database integrityPlan to encrypt all data stored on mobile/portable devicesDetermine how portability requests will be handledTime for action
It is imperative that businesses take steps to ensure they are ready for GDPR. Existing systems need to be evaluated to ensure that the regulations are met. Should you need to transition to new software to meet these demands, remember that it can take between 9 and 18 months to re-platform following the selection of a provider.
For further advice please contact OpusVL on 01788 298 450 or email enquiries@opusvl.com