Are you GDPR Compliant?
General Data Protection Regulation or GDPR, have overhauled how businesses process and handle data, which became the Law on 25th May 2018.
Why? Because if you are not compliant now, you could be operating illegally.
We have taken several of our clients through this process, with over 40 control documents adopted for their businesses so that you don’t have to write these from scratch.
Some GDPR Don’ts…….
Use information for a different purpose other than that for which it was obtained without the consent of the person who gave it, or advice from the Data Protection Officer or equivalent.
Disclose information to other staff members unless the use of that information is within their authorised duties.
Take personal information out of the office unless we have to for work reasons.
Leave confidential information on the printer but if we find it, we put the copies in confidential waste bins.
Send files to your personal email account as this is a breach of the Data Protection Act 1998.
Put information about individuals on the internet without specific and informed permission. (This would be considered an international transfer of personal data. Thus, the data protection rights may not be equivalent to those within the EU).
Give out personal information over the phone or in person until such a time that we can confirm the identity of the caller.
Include any sensitive personal information in any email message.
Forward email messages containing personal information without consent unless it has been encrypted, password-protected or sent via a secure communications channel.
Complete Expert and Professional service to implement GDPR Compliance!
Audit – Review- Implement – Monitor
- We conduct a review of your current compliance against GDPR requirements.
- Review your existing Policies, Procedures and Controls against the requirements of GDPR and provide all documentation necessary.
- We will then provide a detailed report as to what needs to be done to be GDPR Compliant.
Some common questions asked…….
In order to be compliant does the software I use or company producing it need to be GDPR compliant?
In short – Yes, GDPR is a process, your Supplier (Inbound Service providers) needs to provide assurance they hold and process your data legally & securely – just as you need to assure your Clients (Outbound Services).
What is the difference between a regulation and a directive?
A regulation is a binding legislative act. It must be applied in its entirety across the EU, while a directive is a legislative act that sets out a goal that all EU countries must achieve. However, it is up to the individual countries to decide how. It is important to note that the GDPR is a regulation (Law), in contrast the previous legislation, which is a directive.
When is the GDPR coming into effect?
The GDPR was approved and adopted by the EU Parliament in April 2016. The regulation will take effect after a two-year transition period and, unlike a Directive it does not require any enabling legislation to be passed by government; meaning it came in force on 25th May 2018.
In light of an uncertain ‘Brexit’ – Should I still continue with GDPR planning and preparation?
If you process data about individuals in the context of selling goods or services to citizens in other EU countries then you will need to comply with the GDPR, irrespective as to whether or not you the UK retains the GDPR post-Brexit.
Who does the GDPR affect?
The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
What are the penalties for non-compliance?
Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers (Person Responsible) and processors (Persons using the data) — meaning ‘clouds’ will not be exempt from GDPR enforcement.
What constitutes personal data?
Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.