As you may be aware, the new regulations for GDPR will come into effect as of May 25th 2018. If you’re already complying with the current Data Protection Act (DPA) you will find that many of the GDPR regulations are one in the same. However, there are many new elements and significant changes which will affect the running of your business. There will be many procedures you need to do for the first time and some which you will need to start doing differently.
It is important that you take the time to understand how the new GDPR regulations will affect your business. To get you started in the right direction, we asked Jim Sneddon, founder of AssureData, a few questions about the new guidelines.
1. What is GDPR?
The GDPR (General Data Protection Regulation) is the biggest change to EU data protection law in decades. It has come about to take into account the way in which we now do business in a connected, online. electronic era.
Maximum proposed penalties are £17M, or 4% of gross global turnover (whichever is greater), which sees a significant increase on the current UK maximum of £500,000. However, as long as organisations are taking it seriously and moving to become compliant by the 25th May 2018, then it is very unlikely they will receive this level of penalty.
2. When does GDPR come into full effect?
May 25th 2018
3. Why is GDPR important?
When we look at breaches such as the recent Yahoo incident (3 Billion + user records exposed), or Equifax (145.5M user records breached). We can see that enough care is not being taken around securing personal data in general. Those breached details could be used for identity theft, emptying of bank accounts, or other damaging purposes. This is why we need to take data protection of personal details seriously
4. Who does GDPR apply to?
Any data controller, or processor (third parties that data is shared with) globally who stores, or processes the data of European citizens, or residents, whether customers,or employees.
5. Define being GDPR compliant
Data protection is an iterative process which never really ends, just like updates to anti-virus, or patches to software, the same care needs to be taken around keeping on top of compliance with the GDPR regulation. So, it is very hard to define being compliant other than at a specific point in time.
6. What are the penalties for failing to comply with GDPR?
Maximum penalties are €20M or 4% of gross global turnover (whichever is greater). There is a lot of scaremongering around the penalties, however there are a lot of other measures that would likely be taken before being given a fine, such as audits, or advisories, so don’t believe the hype.
7. How should my business prepare for GDPR?
Do some awareness training, conduct a gap analysis and from that build a plan that you can prove that you are executing against to reduce risk. The ICO (Information Commissioners Office) website also has some great tools and resources for free.
8. Who within the company is responsible for GDPR?
Everyone, however it would be best to get a cross functional team with heads of department and management to feed into someone who has responsibility for the program.
9. What type of data is protected under GDPR?
Personal data only. Anything that cannot identify an individual is out of scope
10. Where can I find more information on GDPR?
For the first time ever Datto will be hosting a LIVE quiz show featuring Jim Sneddon and Datto's very own, top Sales Engineer and Ransomware expert, James Mason, covering all things GDPR. You can sign up for the event here! You will also find more information on GDPR on the ICO website here: https://ico.org.uk/