What is GDPR
GDPR stands for The General Data Protection Regulation which is an EU wide framework which became enforceable on the 25 May 2018.
Under the regulation, individuals will be “guaranteed free and easy access to your personal data, making it easier to see what personal information is held by companies and public authorities”.
The regulation aims to improve the security and access of personal information, whilst superseding personal data handling previously covered by the Data Protection Act 1988.
GDPR compliance is a necessity
GDPR, or the EU General Data Protection Act, came into force in May 2018, and has wide sweeping controls for how personally identifiable information (PII) is managed within a business. The regulation also has imposing fines for lack of compliance, up-to 4% of annual turnover or €20M (whichever is greater) per breach – making this a potentially costly topic to avoid dealing with.
What are the real-world implications to your business?
– What personal information are you storing? Is this data used for the purposes intended?
– Where is this held?
– Who has access?
– How are cyber security and data breaches managed?
– If data is requested by a customer or employee, how will this be shared?
– Who is responsible for overall compliance?
Answering these questions becomes the first step towards compliance.
What is PII?
Personal identifiable information (PII) applies to customers, suppliers and employees. Personal information such as name, address, DOB, email address is already protected under the existing Data Protection Act. GDPR expands this to include ID numbers, location and online data markers together with mental, physical, economic and social indicators, and even genetic and biometric information that can lead to personal identification.
What is the impact of failing to comply with GDPR?
Companies found guilty of failing to comply face fines of €20 Million or 4% of revenue (whichever is greater). The severity of fines will depend on the level of data breach.
Getting started with GDPR
a. Define Personal Identifiable Information
b. Map the locations of PII
c. Consider centralising data storage
d. Ensure all PII has an audited trail
e. Define security access to all PII
a. Ability to store, find and catalogue citizen’s data and information
b. Creation of a secure environment for data
c. One version of truth approach for all information stored
Partners, Suppliers and Contractors
a. Check all businesses that handle your PII are GDPR compliant
b. Ensure effective use of contract management with vendors
a. Employ a DPO (Data Protection Officer) if required
b. Involve HR, legal, finance and business units alongside IT
a. Define a clear plan for reporting data breaches
b. Citizens now have a right be forgotten, therefore ensure their PII can be deleted
c. Provide a transparent process to a response for information
GDPR compliance is not a simple, single software solution – it is a combination of good information governance, effective policing and a variety of solutions to address particular aspects of compliance.