What does GDPR mean for my business?

1. Accountability

Businesses will be more accountable for protecting people’s personal information.  Recently, huge data breaches have affected large companies like LinkedIn and Yahoo.  Under GDPR, it’s mandatory for UK companies to report information security breaches to the ICO and to the individuals affected within 72 hours of identification.  Companies that have over 250 employees must document why people’s information is being collected, describing what’s held, how long it will be kept and the security measures in place to protect the information.  Companies must also show that they regularly and systematically monitor all activities on personal data.  This might mean that your business needs to employ an extra person to cover this role.

2. Clients can access the information you hold about them

GDPR gives individuals more power to access their personal information.  Currently Subject Access Request (SAR) allows businesses to charge £10 to supply information, but under GDPR, access is free of charge.  GDPR gives individuals the power to have their personal information erased in some circumstances such as when it’s no longer needed for the purpose it was collected.  In addition, GDPR gives individuals more rights over the processing of the data held.  ICO says that individuals ‘have the right not to be subject to a decision’ if it produces an effect on them.  There are some exceptions, but in general, people must be provided with an explanation of the decision.

3. Fines can be around £17 million

If companies don’t process individual’s data properly, don’t have a data protection officer when they need one, or have a security breach they can be fined.  As the Star Trek Borgs say, ‘you will comply’ and ‘you will adapt’.  The fines ensure that when it comes to information security, there’s no choice.

1. Become familiar with the standard

Read:

• General Data Protection Regulation on the EU’s website.
• NDC Global Auditor’s GDPR Quick Reference Guide. It’s free and explains GDPR’s key objectives in user-friendly language.

2. Carry out a gap analysis

Begin by identifying the processes, policies and procedures that your business has in place and what needs changing for GDPR.  Examine where EU citizens’ data is currently being held and the level of information security.  Look at how long data is being stored; whether any unnecessary data is being held that could be deleted; who has access to the data and why; and how access to data is currently being monitored, how often and by who.

3. Plan for implementation

Think about:

• Whether you need to appoint a data protection officer to ensure compliance.
• How data flows across different borders within the EU and outside it.Prepare for data subjects to be able to exercise their new rights under GDPR.
• Having a battle plan.Once you’ve carried out a gap analysis, how will you prioritise your resources to address gaps?

1. Free Data Security & ISO27001 Information Security seminar

NDC Global Auditors are offering free Data Security & ISO27001 Information Security seminars in partnership with Soitron UK. Our aim is to help you understand GDPR and to establish the next steps for your business.

2. Consultancy, training and technical support

Together with our technical experts at Soitron UK, NDC Global Auditors can support you to:

• Carry out a gap analysis of your existing information security management system.
• Develop robust it systems that comply with GDPR.
• Implement and maintain ISO27001 – the accepted global benchmark.
• Train your data controllers and data processers.