Cyber security and data protection compliance are big topics at the moment. All businesses must comply with data protection laws, but as technology and the way information is used has developed, so must the law. The Data Protection Act 1998 is now to be updated with GDPR, and all businesses will need to ensure they are ready for this cyber security shake up.

What is GDPR?

The General Data Protection Regulation (GDPR) 2016 is a regulation from the European Parliament. Its purpose is to give EU residents control of their personal information, and also provide a simplified way to regulate and monitor the use of this data within businesses. In essence, people will be able to see how and where their information is being used.

GDPR has clear guidelines that ensure transparent processes when it comes to compliance, and reporting and handling data breaches. Companies that are found to have not ensured proper compliance will receive hefty fines and penalties.

GDPR penalties

With current legislation, a company that is found to not properly protect customer data can face a fine of up to £500,000. In 2016, 21 companies were fined over £2 million for breaching data protection, showing that the full limit is rarely used. Under GDPR, companies could be fined for 4% of their turnover, or £20 million, whichever is higher. With a lot more at stake, businesses and organisations need to ensure their compliance and review their procedures.

GDPR and Brexit

As Brexit looms on the horizon, one must question whether GDPR will actually apply to the UK. The matter is very clear for GDPR – its focus is on who the data is about, rather than what the data is. In essence, if the data relates to those who potentially identify as European, businesses will need to be compliant with GDPR. Brexit may bring a raft of new benefits for the UK, but where protecting EU citizens’ data is concerned, the matter is transparent.

GDPR and Cyber Security

As a business that handles data of any type, you should be aware of how to best protect and have procedures in place. Under schemes such as the Cyber Essentials Scheme, cyber security is fairly straightforward. However under GDPR, businesses are required to do more. This means that ensuring cyber security will include allowing data access to specific individuals within the organisation. This also includes the way in which data breaches are handled, as they must be reported to the relevant authority within 72 hours. Opt-ins collecting personal data need to be more explicit, in that companies need to prove the data was given willingly and openly.

What can your business do now?

GDPR comes into effect in 2018, but it is imperative that businesses and organisations start making preparations. What should and can you start doing now to be compliant with GDPR?

• Data protection is now a company-wide matter, from the boardroom to every department and team member. Take a look at the structure of your business and see who could become a data protection officer. It doesn’t have to lie within your IT department, but do ensure that the officers receive the required training.
• Educate and train your staff on how to handle customer data within the new GDPR guidelines now. The sooner you can implement the new system, the easier it is to transition.
• Review your current cyber security, and ensure firewalls, encryption, and so on are robust.
• Ensure your paper-based documentation is handled and destroyed securely. Paper and physical data can be one of the biggest areas of loss and theft.
• Document how your company will respond to a data breach quickly and effectively.

If you would like any further information on GDPR and cyber security please get in touch with us.