GDPR, what is it and is my company compliant?

The General Data Protection Regulation (GDPR) started 25th May 2018.
Avoid fines and ensure GDPR compliance with totality services

What is GDPR?

GDPR is a regulation which will strengthen and unify data protection for all individuals within the European Union. Currently, the UK relies on the Data Protection Act (DPA) 1998, but this will be replaced by the new legislation.

It introduces tough fines for non-compliance and data breaches, and gives people more say over what companies can do with their data. The legislation impacts consumer data and business contacts data, click here for b2b information from the DMA.

Why is General Data Protection Regulationv necessary?

The EU wants to achieve the following primary goals:

  • Give people more control over how their data is used by businesses
  • Provide people with peace of mind through data being securely stored & protected from hackers
  • Ensure email marketers address how they pursue, obtain, and document consent where it is needed

The current legislation was enacted before the internet and cloud technology created new ways of exploiting data, and the GDPR seeks to address that. By strengthening data protection legislation and introducing tougher enforcement measures, the EU hopes to improve trust in the emerging digital economy.

Scope of the

The General Data Protection Regulation (GDPR) will come into force from May 25, 2018 onwards, two years after its adoption in April of 2016.

The regulation must be observed by any companies with more than 250 staff, which on the face of it may give the impression that many UK small businesses will be exempt. However it isn’t quite that simple. All businesses must still comply if involved in regular “processing” of certain categories of personal data, which legally is taken to include collecting and storing as well as actually using data.

Despite the UK’s voting to exit EU, businesses in UK will still have to comply with data regulations while we’re in the EU and it is strongly rumoured the law will continue following Brexit.

Key features of GDPR

If your business handles personal data of employees and customers, GDPR would apply in such cases. Whatever data is processed and stored on the cloud or mobile, all information needs to be identified according to GDPR.

The GDPR also gives the power of data handling back to the citizens who have the right to determine how their personal data will be used by businesses. GDPR also makes it possible for the citizens to have their data “be forgotten” if they do not give consent for using their personal data. The right to erasure enables citizens to request erasing of their personal data. Besides, citizens also get the right to port their data across different electronic or digital processing systems.

Reporting of breaches in security of data also needs to be reported within 24 hours at a minimum and a maximum of 72 hours to the Information Commissioner’s Office (ICO). The ICO can levy a penalty of £500,000 for data malpractice while the GDPR can levy the higher of €20 million or 4% of annual business turnover.

What should your business do?

The first key step is to identify where all customer and employee data resides, once you have a clear picture you’ll need to engage with an IT support provider to introduce measures and software to proactively protect sensitive data. It’s critical that any breaches can be avoided, but if they do occur they must be reported upon and monitored to avoid fines.

For any help you may need with GDPR, please get in touch.

 

What type company does GDPR apply to?

GDPR applies to any company that stores customer and prospective customer data, this includes data in mailboxes, servers or on the cloud.

There are data ‘controllers’ and ‘processors’. The controller says how and why data is processed and the processor stores the data. If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to securely store and protect data, maintain records of data as well as log details of all processing activities. You will have significantly more legal liability if you are responsible for a breach. These obligations for processors are a new requirement under the GDPR.

However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.

GDPR Compliance: how totality services can help

totality services can ensure your business is GDPR compliant for ‘Information security’ requirements. Our solutions include:

  • IT Security risk assessment of all systems and software
  • Anti-virus & Anti-malware software for Workstations & Servers
  • Central Security Management
    • Enforced daily virus and malware scans on all Workstations
    • Our helpdesk team is automatically & instantly made aware of any security threats (viruses & malware) on Workstations & Servers
  • Multi-Factor Authentication for Microsoft 365 & Google Workspace
  • Encryption software for Workstations, NAS devices & Servers
  • Data backup solutions for Microsoft 365, Google Workspace, NAS devices & Servers
  • Hosted Active Directory for security
    • Includes automated user password resets, workstation Operating System updates, screen locking after a defined period, single user sign-on credentials for all systems / software and much more

Other GDPR solutions we offer may be required depending on systems used.

Fines for breaching GDPR regulations

GDPR was enforced from 25 May 2018, breached organisations will find the fines they face increasing dramatically. Penalties will reach an upper limit of €20 million or 4% or annual global turnover – whichever is higher.

For many businesses, the threat of insolvency or even closure because of GDPR penalties is very real.