Preparing for GDPR
On 25th May 2018 the General Data Protection Regulation (more commonly known as the GDPR) will come into force in the EU. Organisations need to prepare themselves for the introduction of this new legislation to ensure that they continue to process personal data lawfully. We understand that our customers might need some more information to be able to make decisions about what they need to do, so we’ve prepared this Q&A to answer some of the more frequent questions that we’re asked.
Does GDPR apply to my organisation?
Almost definitely. It applies to all organisations that process personal data. For example, if you store customer contact information (maybe in a CRM, or your phone or email) or you store data about your employees (HR and/or payroll). Broadly speaking if the data protection act (DPA) applies to your organisation then GDPR will.
What about Brexit, doesn’t this mean it won’t apply to the UK?
No. The UK government has committed to including the GDPR into UK law so it will apply even after Brexit. Also, if UK data protection legislation starts to diverge from the EU’s post Brexit, the full GDPR will still apply to your organisation if you store the personal data of EU citizens.
What’s new in GDPR compared with the DPA?
In essence the GDPR is an evolution and extension of the DPA, that is, it’s updating the existing legislation adding new principles and rights for data subjects. Some of the new changes are: a new accountability principle for organisations: new rights for data subjects including the right to be forgotten: the definition of personal data has been widened: it’ll be mandatory for some organisations to have a Data Protection Officer: mandatory data breach reporting has been introduced.
What do I need to do?
That depends on many factors including, the size of your organisation, the type of personal data you process (i.e. do you process any sensitive personal data), whether you do any high-risk processing, and whether you process children’s data.
All organisations subject to GDPR need to review their existing data processing arrangements as elements of the new legislation apply to all organisations. For example, there’s a new principle of accountability that means all organisations need to be able to explain how they comply with the principles of the GDPR. For some organisations the changes will be significant and far reaching.
I have Cyber Essentials, Cyber Essentials Plus, or ISO27001 Certification, so I’ll be alright, won’t I?
No. These certifications don’t automatically demonstrate that you comply with the GDPR.
What’s the risk to my organisation if I’m not compliant?
New penalties have been introduced for organisations that don’t comply with the new legislation. An organisation can now be fined up to the higher of £17m or 4% of its annual global turnover.
How can ITogether help?
We offer a service that’s specifically designed to help organisations comply with the GDPR. We’ll work with you to assess your organisation’s compliance with the GDPR. We’ll focus on what data you have access to, where it is (in terms of its geographic and physical location and the application that uses it), and review your existing data processing arrangements so you know who’s using it, why, and that you have consent to process it. We’ll then provide you with a list of actions and recommendations based on your organisation’s current state of readiness for the GDPR which you can implement with or without our help. Finally, when you’ve had time to implement the actions and recommendations we’ll come back and audit you to check your data processing arrangements are fit for the GDPR.
For more information please contact our sales team on 0113 341 0123 or email firstname.lastname@example.org and someone will get back to you as soon as possible.