When reviewing GDPR, if you are a board member or a senior manager, you should be asking the question how safe are your Digital Assets – not just the personal data? As part of GDPR, you should be taking in to account one of your most valuable assets, your Intellectual Property – these will typically be in the form of digital content e.g. diagrams, documents. They may well initially be protected but once they are out, it can be quite difficult to limit or control access to these valuable and company confidential assets.
What is GDPR?
General Data Protection Regulation (GDPR) is produced by the EU’s Article 29 Working Party. GDPR requires that organisations must be able to identify, protect, and manage all personally identifiable information (PII) of EU residents even if those organizations are not based in the EU. The GDPR applies to any organization holding or processing personal data of EU citizens. With Brexit, the UK is scheduled to leave the European Union, it is however, important to note that the UK has adopted this legislation and it will be coming to force 28 May 2018. The Information Commissioner’s Office (ICO) is the data protection authority responsible for overseeing the implementation of GDPR legislation in the UK.
The UK currently relies on the Data Protection Act 1998 and this will be superseded by the new GDPR legislation. It is intended to more or less unify the way the data protection rules are implemented across the EU countries and strengthen the rights of the individual where personal data is concerned – in terms of what companies can do with their data. In effect, individuals retain their legal rights to the data and protections around the data usage even while the data is under the stewardship of the organisation. It also introduces stricter fines for breaches and non-compliance.
Key elements of GDPR
|> If your business is not in the EU, you will still have to comply with the regulation|
|> The definition of Personal Data is broader, bringing more data into the regulated envelope|
|> Consent will be necessary for processing children’s data|
|> The rules for obtaining valid consent have been changed|
|> The appointment of a Data Protection Officer (DPO) will be mandatory for certain companies|
|> Mandatory Data Protection Impact assessments have been introduced|
|> There are new requirements for data breach notifications|
|> Data subjects have the right to be forgotten|
|> There are new restrictions on international data transfers|
|> Data Processors share responsibility for protecting personal data|
How does it affect you?
If you are a business, you need to take certain steps to ensure that you are GDPR compliant. In the UK, you can refer to the Information Commissioner’s Office (ICO) for guidance. Checkout their 12 steps to take now. According to Gartner, “Organizations Are Unprepared for the 2018 European Data Protection Regulation”
If you haven’t already, you have less than 4 months to become compliant!
You can download our 12 steps to becoming GDPR compliant by completing the form below: