Here is quick rundown of the key points of the new General Data Protection Regulation. Remember, Cyber Security is at the forefront of compliancy – check out our GDPR Cyber Security page for more information on how you can protect your data.
GDPR brings with it significant penalties (2% or 4% of revenue). It applies to all EU Citizens. The UK Government is highly unlikely to repeal this regulation after Brexit as it has brought Data Protection into the 21st century. Even if it was repealed, if you have any dealing with an EU Citizen, then the regulation will still apply and you will need to be compliant. This brings us nicely to what is and isn’t covered by GDPR.
Out of Scope (Not covered) – Intellectual property i.e. Logo, dead people.
In Scope (Covered under GDPR) – Data stored or intended to be stored in a filing system (paper or electronic). Data processed wholly or partly by automated means.
A quick note here about the word “Processing”. Processing is not some magic thing that happens to data on the internet. Under GDPR you are processing personal data if you collect, alter, store, archive, disseminate or even LOOK at personal data.
Personal Data is “anything that can lead to the identification of a natural person”. This means their name, address, ID Number, location data etc.
Where email addresses are concerned, email@example.com does not identify a living individual and so would not be covered under GDPR. James@castle-computers.com however, could lead to identification and therefore is covered under GDPR. The waters get muddy when dealing with sole traders. Even if they have a generic email address (like firstname.lastname@example.org), because they are a sole trader, then the generic email address could lead to their identification and as discussed would be covered. Our advice is to err on the side of caution and treat business email addresses with the same care you would take with your own personal information.
Subject Access Request – People now have the right to find out what data you hold about them. This should be your first clue that you need to know where all your data is. Think – if you don’t know where your data is, how can you respond to an S.A.R? Subject Access Requests are different to freedom of information requests. You cannot charge for them (unless you can prove that you would be put at a significant disadvantage or loss if you didn’t). You must respond to these requests within 30 days. “Subjects” (also known as people!) have the right to have information you hold about them amended, transferred or deleted.
“Data Controller” – Determines what data is needed, why and what for. They also decide who to collect information about, why and the legal basis for processing.
“Data Processer” – Processes the data on behalf of the controller. They determine what I.T systems to use, how to store the data and how to keep it secure, ensuring the retention schedule is adhered to.
In smaller organisations it is highly likely that the controller and processer are the same person (or at the very least are in the same office). For example, as the Data Controller you have collected your employees National Insurance Number, Date of Birth, Bank Details etc so that you can pay your employee. You then process that information when you run payroll and pay that person. If you pass personal data to another business i.e. if you outsource your payroll to your accountant, then you should ensure that they have the necessary procedures and policies in place. They are in effect acting as your Data Processor and you are the Data Controller.
“Data Breech” – Just to clarify, a data breech means you have lost data that relates to an individual (i.e. lost a USB Stick with your customer list on? Laptop stolen?)
“Data Inventory” – CRITICAL! If you don’t know where all your data is – then how do you know if you have lost anything?! You should identify what data you have, where it is and who has access to it. (This will also help if you ever have to deal with a Subject Access Request.)
One thing is for certain – GDPR is not about convenience! You can’t keep data “just in case”. It must have been collected for a specific purpose and then destroyed if you have no legal or contractual obligation to keep it.
Data must be accurate and kept up to date.
Consent is the weakest reason to have or process someone’s data. Identify the most valid and strong reason for consent that you can (i.e. legal or contractual).
If you deal with credit cards, any data breech that includes cardholder information would be covered under PCI and GDPR.