In this article, the second in our GDPR series, we’ll look at the content of the GDPR and what you’ll need look at and address to be on the right side of the law.
When do I have to be compliant?
The GDPR comes into force in all member states of the EU on 25th May 2018. This covers businesses within the EU and businesses outwith the EU that offer goods and services or monitor individuals there.
Is it any different to the Data Protection Act?
Yes, it is. All the DPA protections remain, but there are significant other changes and additions. The principal ones are Consent, Data Subject Rights, and Accountability.
Ok – what is involved in those?
Good and best practice is still relevant – if you have been on top of data security up till now it should be easier for you to comply. If not and you have any doubts, now is the time to get an audit done. You can ask us about that here. Otherwise:
Consent to gather and process personal data must be explicit. So no more “opt in” prefilled tick boxes. Data privacy notices will need to be more detailed and compliant. Consent must be open and freely given, not hidden. Individuals can also withdraw consent at any time and you must be able to comply with that.
Data Subjects’ rights
This one is a bit less clear, but incudes two new rights. One is the right to be forgotten, which means deletion of data, and the second is data portability. That means that if a person or client wants to move their data you must be able to do that safely, completely and securely.
Under the new GDPR, you must not only be compliant, you must be seen to be compliant. Data processors are also now under regulations that they previously were not, so this is a big step. Having a clear accountability recording could be helpful in the case of data breaches. The GDPR also prohibits data transfer outside of the EU under certain conditions, but these are much the same as the current Data Protection Directive that we noted in our last article, which you’ll find on this page.
What is the most important change?
The Security by Design is the core part of the Regulation. Data security has never been more important. With the number of cyber attacks at an all-time high, now is not the time to have slack data security, no data protection policy, an unaware human firewall, and no real technologically advanced business firewall. Failures here are where the sanctions and fines will bite, and they can be substantial.
Understood. I need to do something about this – but what?
Secure Connectivity is the key to success in creating an effective data protection programme. A Managed Service provider like KubeNet can provide professional advice and help you to create a resilient, secure network that complies with GDPR protecting your business and your customers. Time is of the essence though, with May 2018 fast approaching, the time to act is now. Contact KubeNet to arrange an assessment of your current network, particularly your security provisions and how we can help. Email us on firstname.lastname@example.org or call 0344 873 4488. We’re here to help.
You’ll find out more in our last article in this series next week – it’ll cover the practical steps that you can take and what each means for you and your business.
KubeNet – We Listen, We Understand, We Deliver.