The UK’s data protection laws will be overhauled on 25th May 2018 - replacing the current Data Protection Act (DPA) with a new incarnation - the General Data Protection Regulation (GDPR).
The GDPR will change the way your business takes, processes and stores its personal data. Here are the 10 key areas you need to understand for compliance:
1. Most businesses will be affected by the GDPR
Regardless of your geographical location, your business must be GDPR compliant if it processes the personal data of EU citizens. This is the first time that EU data protection regulations have been extended to include businesses from around the world.
2. The definition of personal data has been broadened
Under the GDPR, new kinds of personal data are introduced. For example, personal information such as mental, cultural, genetic and socioeconomic information is included. Consequently, areas that have not previously been affected by such data protection regulations must now comply with the GDPR.
3. The rules for obtaining consent for using personal information have tightened
If you want to use personal information then you must be able to prove valid consent under the GDPR.
Clear and affirmative consent is required - so it’s not enough to simply pre-select a tick box on an online form, for example. You need to provide clear and simple language when an individual provides personal information so that the individual understands what you plan to do with their data, how you are collecting this data and how you will process it.
4. Appointing a DPO will be mandatory for most
The GDPR will require organisations processing personal information to appoint a data protection officer (DPO) when core business activities include systematic and regular monitoring of data subjects.
According to a study conducted by the International Association of Privacy Professionals, this means that Europe will have to appoint 28,000 DPOs within the next two years.
This will even affect smaller companies that process personal data and have less than 10 employees. This is because the GDPR wants all businesses to provide data protection - regardless of their size or IT services.
5. PIAs will also be mandatory
Under the GDPR, Privacy Impact Assessments (PIAS) are mandatory for organisations with processes and technology that put the rights of the data subjects at high risk. These PIAs are part of the “privacy by design” ethos of the GDPR (covered in point 9) and will allow you to find and fix any issues at the early stage of a project such as, for example, a new service offering, a business acquisition or a targeted marketing campaign.
6. Data breaches must be reported
You will have to notify your local data protection authority within 72 hours of a data breach being discovered once the GDPR comes into force. This means that you will need to have the processes and technology in place to detect a breach and recover or respond to that threat.
You may need to invest in additional staff training, or overhaul your procedures and processes to comply with this area.
7. Restrictive data handling principles will be enforced
Under the GDPR, you will not be able to hold personal data for longer than you need to. You also cannot change the use of the data from its original purpose when it was collected.
You must also delete any personal data at the request of the data subject, a process referred to as “the right to be forgotten”. Again, you may have to overhaul your processes and procedures to enable this change.
8. Liability goes beyond data controller
Liability is no longer the sole responsibility of data controllers - it will be extended to all organisations that process personal data. In other words, anyone who has come into contact with personal data is now liable under the GDPR.
9. Privacy by design is required
All of your software, systems and processes must consider an approach, known as “privacy by design” under the GDPR. This promotes the privacy and data protection compliance from the start of any project your business undertakes, according to the ICO.
In other words, you must consider data privacy of the relevant data processing both at the initial design stages of a project and throughout its lifecycle.
10. The GDPR provides a one-stop shop
If you work in a country with relatively permissive data protection principles then you will no longer be protected by these laws under the GDPR. This is because any European data protection authority can act against an organisation (regardless of where they are based).
In effect, the GDPR means you will only have to deal with one data protection authority, rather than work with a different one per EU member state. This will save both time and money for your business - and also provide EU citizens with one point of contact to voice any complaints or concerns.
Of course, the GDPR is a complex piece of legislation and your business will need to understand what it means for your exact circumstances.
Protecting your customers' data has never been more important. Secure your network with Cisco's unified security suite. Register your interest below to get a free Cisco POV Threat Scan assessment and network security audit to understand where your business needs help.