What You Need To Know About GDPR: 6 Key Principles

What is GDPR?

Formulated over a total of four years, the General Data Protection Regulation (GDPR) has been developed in order to monitor and regulate the new ways that consumer data is used in an ever technologically advancing world. Replacing the 1995 EU Data Protection Directive, it is designed to implement the stricter regulation, as well as hefty fines of non-compliance and breach of data, and give consumers more control on how their data is stored and distributed by companies.

Principle One: Compliance and company-customer honesty

Any data shared with a company by a customer is still lawfully owned by the customer. GDPR is designed to help customers sharing data stay in-the-know about what happens with their data and offers the ability to review it. For businesses, the processing they describe must match what they have outlined as their objective. Stricter monitoring of this means that any organisations breaching contracts between themselves, customers and the EU regulators will face higher fines and harsher repercussions.

Principle Two: Purpose limitations

The initiation date in May 2018 brings in new rules in relation to the reasoning for obtaining data. Outlined in the official document, personal data may only be collected for ‘specified, explicit and legitimate purposes’. This means that customers consenting to a company holding their data cannot have their data used for marketing, consumer research or third-party distribution. Removing the clauses allowing organisations to use the submitted data in deceiving ways allows for a higher level of privacy and control over what is happening with your personal information.

Principle Three: Relevance

Where a customer would once supply a considerable variation of their personal information to allow businesses to have full records, the new legislation controls companies from obtaining any data that they do not explicitly need. Anything not relevant to the process the data is required for must either never be obtained, or removed to ensure it complies right from the beginning of the legislation.

Principle Four: Accuracy

If a company intends or requires holding customers information for a considerable length of time, they now must ensure that not only does it meet a 100% accuracy rate, but also that it is regularly updated to make sure it is up to date. Periodically checking the accuracy of the data is a secondary way to ensure that what is being stored is still relevant and required for the practice in motion. Developing a successful method for managing and storing data also assists in consumer protection against identity theft.

Principle Five: Limitations

Ensuring that identification of data subjects is monitored and regulated allows for businesses to regularly review the need for specific data. Applying company based compliance settings on how long a consumers data can be obtained without regular review or use is a sure-safe way to ensure GDPR is always being applied and avoiding stern charges and repercussions. Also, checking the finality of deleted data is a safe way to protect a company from any negative consequences, as well as protecting the customer from the dangerous distribution of their information or identity theft.

Principle Six: Security

While a business may be maintaining strenuous legislations about the removal and relevance of consumer data, it is important to remember the importance of an air-tight security management system. Security is essential to ensure third parties cannot enter the system and obtain information that a company could be held liable for distributing. Employee confidentiality, two-step computer systems are locked, and remote storage are just three of the ways as a business you can ensure the protection of a consumers data, and your own licences.

Think about your clients

Consumers will be aware of the implications of GDPR and will know what to look for when assessing your business. It is worthwhile considering the customers perspective to make sure your GDPR system is compliant in their eyes.

Consumer safety measures include;

• Terms and Conditions – Does your business make your terms and conditions as well as data opt-in readily available?

• Requesting deletion – How will your business handle requests and cater to customer needs. What is the timescale for removal and how can errors be avoided in this situation?

• Rights – Customers may ask for clarification on your policy to ensure you are a trustworthy business. Can your organisation provide the knowledge and peace of mind that the customer is looking for?

If you need help addressing any GDPR concerns, then get in touch with the IT Solution experts at Cyan Solutions. The team can help you to implement the necessary GDPR measures to ensure your business remains competitive, successful and compliant.

How GDPR affects charities

In addition to understanding the General Data Protection Regulation in businesses, it is also essential to understand the role of the GDPR in non-profit organisations. Any organisation that will hold personal data will need to comply with the new GDPR. The new regulation can be an opportunity for charities to rethink the way they store data, and whether or not the processing of sensitive data is effective. There are a several ways the GDPR might affect the way charities manage data and consider their current processes.

Volunteers

The information about volunteers and the training they receive should be just as employees, and this might result in a processing rethink. An audit is a preferred method of beginning to prepare for the GDPR. This will identify what information you hold, the place of origin, and where you will use that data.

The audit will provide a basis for what needs to be done to comply. The location of the information is essential, as well as the length of retention, and most importantly the risks associated with holding the data. These are all things that might need reconsidering; it may be worth following best practice in business to make sure non-profit organisations comply with GDPR.

Volunteers should also have the necessary and sufficient training for GDPR. This will include making sure there have refresher training sessions to keep data protection issues at the forefront of staff minds. Training can consist of training on transferring data securely and the importance of complex and regularly updated passwords. Any policies that you create as a result of the GDPR need to be distributed, and these policies need to be fully understood.

Individual consent

The individuals whose data you hold need to be able to provide explicit and educated consent. The information about consent will need to be separated from the terms and conditions and will need to be presented in a way that the individual can fully understand. Approval must be actively acquired and reviewed to ensure understanding and avoid miscommunication. Information about what data you store about an individual must be easy to find, and always present.

Consent will cover the donors as well as individuals that your charity helps.

Encrypted technology

Ensure that all technology used to store personal data is secure and encrypted. This should include hard drives and memory sticks. Encrypting technology can avoid data breaches, and protect the data of the individual, as well as protecting the charity.

Charities may need to include in their budget the scope for enhanced IT solutions, to make sure all of the technology they use complies with the necessary regulations. At Cyan Solutions, we can help to ensure you have the right IT solutions in place that will conform to the essential requirements.

The Data Protection Law Is Changing: What Does Your Business Need To Do?

Coming into force on the 25th May 2018, the General Data Protection Regulation (GDPR)will mean businesses have to adhere to new rules for managing personal data set by the European Parliament and European Council.

GDPR will be binding and enforceable. With the threat of hefty fines for non-compliance, here is our simple guide to what your business needs to know and act on before this crucial deadline.

Why is GDPR important?

With cyber security threats increasing, there has been increasing focus on safeguarding personal information. It is a strict privacy law that offers potentially worldwide benefits and peace of mind to individuals who share their data. By protecting data, you can protect your business from a potential exploitation, attack or data breach which can significantly damage your organisation and its reputation.

Does GDPR affect my business?

If your business processes personal data for any individuals who live within the EU, then your business must adhere to the regulation. Even if your business is based outside of the EU, if you have personal data for anyone within the EU, the regulation still applies. If you are in the UK, despite Brexit looming, it is likely that the UK will continue to maintain this regulation. So, it is best to act now to avoid potential fines from next year.

What personal data is applicable?

Personal data is considered any information that may identify a person. Direct and indirect data collection applies. Some of the information that’s subject to GDPR regulation includes;

  • A subject’s name
  • Email address
  • Social media posts
  • Bank details
  • Medical records
  • IP addresses
  • Mobile phone IDs
  • Genetic information
  • Biometric data
  • Fingerprints
  • DNA samples
  • GPs

In fact, anything that can physically, mentally, economically, genetically, physiologically, culturally or socially identify an individual must be considered.

Even if your business does not keep data, you may still be liable to follow GDPR regulations if you process information on behalf of another business, agency or individuals. You can find out more from the Information Commissioners Office.

How can my business comply with GDPR?

It is wise for businesses, individuals and agencies which fall into the category of data controllers or processors to have access to an appointed person who has data protection knowledge and understands what to do to comply with data protection law.

For larger organisations, GDPR may enforce you to have an appointed Data Protection Officer. For smaller teams, it may be beneficial for data protection to be a part-time role. Alternatively, it may be worth using a consultant with expert knowledge to help your organisation to achieve compliance and maintain good practice standards.

What measures can my business take to improve data protection?

There are many ways that businesses can increase their security measures which, in turn, will help to adhere to GDPR regulations. Considerations for your business and its security include;

  • How can you make document management more secure?
  • Is your user identification sufficient?
  • Is your data encrypted?
  • Can you improve data overwriting or automatic deletion processes?
  • How can you protect your business from malware?

With GDPR coming into force, now is a perfect time to consider the accuracy of the information you have, how accessible it is as well as the storage and retention policies.

What happens if my business does not comply with GDPR?

Should there be a data breach or your business is found to be non-compliant, the penalties are serious. A severe issue could lead to a fine of €20 million or 4% of your annual global turnover, whichever is greater. Fines can be less and will depend on the severity of the breach. What’s important is that this is a situation that is not taken lightly and investing in compliance could save your business in the future.

How can Cyan Solutions help?

With expertise in information technology, we can empower your business not only to understand the new GDPR regulation, but we can also enable your business to achieve and sustain compliance.

If you want to find out more about how we can help to support your business with GDPR compliance, get in touch for friendly, expert advice.