GDPR: What is it and what should you consider?
As you may have heard on the 25th of May GDPR (General Data Protection Regulation) came into effect across the EU.
GDPR is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU).
Are you interested in GDPR and what it means for your business? Get the facts in our White Paper (Tiva has been part of the entrustIT Group since 2017) >>
The UK is leaving the EU. How does this affect GDPR?
General Data Protection Regulation applies to all companies based in the EU and those with EU citizens as customers. It has the legal ability to exercise authority beyond its normal boundaries.
So non-EU countries are also affected. Even though the UK is planning to leave the EU, the UK will still need to comply with the GDPR. A version of GDPR has been enshrined in UK law as part of the EU (withdrawal) act. The UK will need to comply with the Regulation while it is still a part of the EU and after.
“Personal Data” – This could be in electronic form or in a manual filling.
“Sensitive Personal Data” – This is data on personal things such as sexual orientation, political views or racial origins
What are ‘controllers’ and ‘processors’?
A controller decides what data should be retained and what it will be used for. A controller has a legal obligation to ensure that any processor contract complies with GDPR. More information can be found on the ICO website.
An organisation that handles personal data on your behalf such as TIVA, a payroll bureau service are considered a processor and will have legal liability if they are responsible for a breach.
Penalties for non-compliance are much larger (up to 4% of turnover) and you have only 72 hours to report breaches to the Information Commissioner upon their discovery.
GDPR is there to protect our data, business and consumer. Most companies appear to have stringent security policies in place and security strategies in-house to safeguard against breaches.
Initially, every organisation should be auditing their security processes and continue this regularly.
Very recently it has been revealed there was a breach which was a result of a phishing attack on Butlins network.
Whilst no payment details were stolen, personal details were and it is likely due to what has happened larger companies are going to be looking at their security strategies to make sure they are watertight to avoid hefty fines.
What is an audit?
An audit provides an assessment of whether your organisation is following good data protection practice.
What are the benefits of an audit?
Your organisation you can benefit from the data protection knowledge and experience of the ICO’s audit team. It gives your staff the chance to discuss relevant data protection issues directly with the ICO’s audit team.
What areas does an audit normally cover?
Examples of areas which may be covered in an audit include:
- Data protection governance, and the structures, policies and procedures to ensure compliance with data protection legislation;
- The processes for managing both electronic and manual records containing personal data;
- The technical and organisational measures in place to ensure that there is adequate security over personal data held in manual or electronic form;
- The provision and monitoring of staff data protection training and the awareness of data protection requirements.
- BYOD (bring your own device) – make sure the device is completely secure, e.g. encryption
Other areas to consider:-
Review the way you make use of public cloud IT services, e.g. discontinue any use of public cloud tools.
Make sure data cannot be downloaded from a public cloud service.
Are your cloud backups encrypted?
Do you use two-factor authentication on all your public cloud services?
Who has access to your ERP, finance payroll systems?
Are you using public or private cloud services and do you know the difference?
The main differentiator between public and private clouds is that you aren’t responsible for any of the management of a public cloud hosting solution. Your data is stored in the provider’s data centre in the UK and the provider is responsible for the management and maintenance of the data centre.
With well over a decade’s experience in providing pure cloud IT solutions to businesses, TIVA & entrustIT could just be that perfect partner for your business!
Get the facts about GDPR with the definitive White Paper from the entrustIT Group >>