General Data Protection Regulation (GDPR) proposed by the European Commission strengthens and unifies data protection for individuals within the European Union (EU), whilst addressing the export of personal data outside the EU. GDPR came into force on May 25 2018.
Organisations need put in place technical and organisational measures to demonstrate their compliance with GDPR, meaning new policies, controls and procedures will need to be developed.
The primary objective of the GDPR is to give citizens back control of their personal data. GDPR harmonizes previous and other data protection regulations throughout the EU.
GDPR applies to any organisation operating within the EU, as well as any organisations outside of the EU which offer goods or services to customers or businesses in the EU.
There are two different types of data-handlers the legislation applies to: 'processors' and 'controllers.'
A controller is "person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data", while the processor is "person, public authority, agency or other body which processes personal data on behalf of the controller". A controller will need to ensure that all contractual obligations with a processor are compliant with GDPR whereas a processor will have more legal liability if they are responsible for a breach.
Under the terms of GDPR, not only will organisations have to ensure that personal data is gathered legally and under strict conditions, but those who collect and manage it will be obliged to protect it from misuse and exploitation, as well as to respect the rights of data owners - or face penalties for not doing so.
Under GDPR, if your organization suffers a data breach, the following may apply depending on the severity of the breach:
- Your organization must notify the local data protection authority and potentially the owners of the breached records within 72 hours
- Your organization could be fined up to 4% of global turnover or €20 million for non compliance to GDPR requirements
The UK Government Cyber Essentials Certification and IASME Standard are a great first step in achieving compliance.
Cyber Essentials can already mitigate ICO fines if a company suffers a breach. Cyber Essentials certification is evidence that you have carried out basic steps towards protecting your business and your data from internet based cyber attacks.
By certifying to the IASME governance standard including its specific GDPR questions, you show your organisation has a wider governance system for management of the controls protecting personal data. The IASME governance standard adds a number of topics to Cyber Essentials which will be required for GDPR compliance, such as assessing business risks, training staff, dealing with incidents and handling operational issues.
If you want to know more about Cyber Essentials and IASME Governance, including the GDPR specific assessment questions, and see how these standards can help support you please contact our cyber security team on 0345 3054118
Taking the complexity out of GDPR
Offering flexible tailored GDPR compliance services:
-
GDPR Readiness Assessments
-
GDPR Training and Awareness
-
GDPR Policy and Procedure Development
- Data Protection Services
- Cyber Security Solutions
- Cyber Essentials and IASME Certification
- Incident Response and Breach Management
The General Data Protection Regulation (GDPR) was the biggest change to data protection law in a generation.
If your business isn’t compliant, you’re leaving yourself open to enforcement action that can damage both your public reputation and bank balance.