Any business that holds the personal data of EU residents will need to ensure that they comply with the General Data Protection Regulation (GDPR) which comes into place from 25 May 2018. Fines of €20 million or 4% global turnover (whichever is higher) will be imposed if the data under your control is compromised.
Let’s look at how the GDPR will impact you:
What does this mean for your business? Going further than the current Data Protection Act 1998 the GDPR means you will be responsible for ensuing all personal and sensitive customer and staff data is held safely and securely, is easily accessible to the individual and deleted on request.
What is classed as personal data? Personal data is information relating to an identifiable person. This information can be the name of a consumer or a business owner, email address, IP address, photos, HR Data, CCTV footage etc. It really is difficult to think of a company that won’t need to comply.
Despite England leaving the EU, this new regulation will still be adopted and is very likely to remain after Brexit.
How will this affect your business? It is important that your business is able to locate and track all personal data; this includes information located in customer databases through to laptops and mobile phones.
Does your business know where all personal data is located? Do you have processes in place to ensure the data is accessible and safe?
This new regulation means you will need to not only be able to locate the data and share it on request, but to also demonstrate that the data is safe and that you have appropriate safeguarding processes in place.
All data breaches will need to be reported within 72 hours and significant fines are likely.
How you can help protect your data
- Document and be aware of where you are storing personal data
- Enforce encryption on all computers and check that they have a Trusted Platform Module (TPM) chip to provide seamless integration with Microsoft Bit locker hard disk encryption.
- Review IT Security and test cyber-security
- Introduce controls and restrict data access permissions to personal data
How can you ensure your business is compliant? All businesses will need to devise and implement relevant processes and procedures for the collection, storage and sharing of personal data needs to be in place for May 2018.
For some businesses becoming compliant could take up to three months.