GDPR – separating fact from fiction (what it is and what it isn’t)
It’s all about data
Our technology based society generates massive amounts of data. Data drives our lives, and when all aspects of data gathering, data management and data usage are working well, we feel secure and happy, and the world is in a good place. Data includes everything from information gathered from government sources and companies to pay our salaries and to collect our taxes to buying our airline tickets to go on holiday and getting our online shopping delivered to our door. The process of gathering, using and exchanging personal data have become day to day activities for just about all businesses, and as the collection sources have expanded into social and regulatory areas, more accurate targeting of goods and services have become possible, leading to the incredible rise of the analytical and segmentation tools we see today.
Why do we need GDPR then?
Data techniques have changed our lives. Unfortunately, that’s sometimes not for the better.
Data is also a source for misuse, whether it’s contacting us for unwanted services, filling our email and text inboxes with spam, hacking our financial details, following our digital footprints with ads – and more ominously infringing on our privacy and private lives – data can carry a threat that left unchecked has the potential for harm. And mayhem when hackers and ransomware are involved. Whereas before we all had a right to data confidentiality – that our personal data was protected to the extent of technology then – the new General Data Protection Regulation seeks to give us control of our personal data management and protection in an age of rapidly expanding and invasive technological advance.
What is it?
Currently, the EU is covered by the Data Protection Directive. The Directive allows each member state to legislate for its own use within the data areas covered by the Directive. This is the source of our own Data Protection Act here in the UK. The GDPR is a Regulation i.e. it is an EU law, and that means that when it comes into force in January 2018 it becomes law in the UK.
Aren’t we leaving the EU?
Yes. However we will be covered by EU law till then, and potentially any transition period, following which the UK Government has said that it will enact it as UK law. In any case, if you want to do any business at all outwith the UK, or deal with any business based in the EU, your business needs to be compliant with GDPR or you face the penalties the Regulation contains.
What does it do?
The GDPR takes what we have already and develops it. It is not a new and draconian EU law, and it’s not intended to penalise. It is intended to protect, and to create what good data protection practice does already – security and confidentiality. Wikipedia describes its aims as: “minimise collection of personal data, delete personal data that’s no longer necessary, restrict access, and secure data through its entire lifecycle.”
What is the main thing I need to know?
The basic principle behind the GDPR is “Privacy By Design”. That means that your systems must have privacy and data protection as core elements of its design, structure and usage. Breaches of GDPR are at the top of the enforcement of the Regulation.
What do you mean by Breaches?
A data breach is seen as any loss or misuse of personal data. Breaches by law now need to be notified data regulators within 72 hours of discovery.
What are the implications?
Let’s take an example. Say you are a business that loses or has hacked the personal account details of customers. You can be fined up to 4% of your global revenue. That’s revenue, not profit. And if your data records are not compliant, or you fail to notify a breach, it’s up to 2%. These penalties apply to any and all companies and businesses, so non-compliance could be an expensive business.
What do I do now?
Look out for the blog in this series, where we’ll delve deeper into the content of GDPR and what it means for you and your business.
Right now you can do two things:
Firstly, make sure that your IT Director, your MD or CEO, and your FD or CFO is briefed about GDPR and the implications, and that you have a project plan in place for compliance.
Secondly, get in touch with us here at KubeNet to arrange a consultation and an assessment of your current network, particularly your security provisions. Email us on firstname.lastname@example.org or call 0344 873 4488. We’re here to help.