Symantec recently reported that 96% of UK businesses are not prepared for the new General Data Protection Regulations – GDPR
Whilst we cannot confirm the statistic, In our experience, many organisations have not acted upon the changes, and some are not even aware of any changes at all.
Whilst we are all seeing a rise in GDPR messaging on the internet and receive many emails around GDPR the communication from companies’ house or the Information Commissioners Office seems to have been very poor.
What is GDPR?
The UK has not seen a major shake-up of Data Protection Laws since 1998. In global law terms that may not seem a long time ago, but since then we have seen the data about us in the cyber world explode.
Since 1998, we have seen the emergence of Google, Amazon and Facebook and the iPhone has made its way into most teens pockets. The world of marketing has got smarter tracking and profiling us (just look at snapchat and its tracking) and cyber threats have risen to epic proportions.
It’s for this reason that on the 25th of May in 2018 the new rules become law in 28 countries and apply to all companies handling EU citizen data regardless of where they reside in the world to afford more protection to the individual.
Time to think differently about data
Firstly, what constitutes personal data is changing and don’t be fooled that as someone who doesn’t trade with consumers that this doesn’t apply to you. Personal data is now any data that can identify any EU citizen by name, sex, social status and electronic means including email address, postal and even potentially IP address.
The definition supplied under the new rule reads.
“personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”
You will have data even if you have no customer data at all if you have staff you have personal data and will need to comply with the new rules. Even if you have data held by a cloud provider in some far-flung destination, you will be responsible to ensure that they also comply with the GDPR rules and if they don’t! Both you and they will be accountable, making this a truly global rule change,
The new rules are also very stringent on contacting people. Currently, companies contact prospects either electronically or by telephone as they see fit, under GDPR this will be illegal unless you have gained freely given consentfor you to do so. This isn’t also an ambiguous tick box it has to be clear and transparent and be relevant to the purpose of what you will use their data for.
This could mean, emailing or someone who has not given consent for your business to email them about services could report you for breaching GDPR rules, and the penalties are far greater with the Information Commissioners Office (ICO) now being able to fine businesses up to €20m or 4% of global turnover.
In addition, you also need to be able to demonstrate how, why and when data and consent has been obtained, in addition where this data resides and how this is being used and how long you are going to keep it.
Based on experience data sprawl across organisations is huge, with many companies having memory sticks and all manner of devices with spreadsheets and files held on local drives. This won’t really be acceptable unless you know who has what data and should someone loose a laptop this could then be a data breach which you will have 72 hours to report or face consequences.
These are but a few considerations that your business needs to be mindful of when it comes to the new EU GDPR, and we will be letting you know more about GDPR changes and considerations over the coming months.
Discover more about GDPR with our FREE Guide to the General Data Protection Regulation >>>
If you would like to talk to about how we are helping businesses reach GDPR readiness you can get in touch with our team on 0114 361 0062