GDPR – Are you prepared?

20 Jun 2017

By: David Hart

Auditel / E AND H / Membership Associations / Professional Membership Sector

Are you ready for GDPR?

Or perhaps you don’t know anything about it – in which case you’re not alone. At an event with a group of finance directors a couple of weeks ago, over 90% didn’t know what GDPR is or how it might impact their organisations. If you’re not already thinking about what you need to do to comply then you may be at significant risk.

The new General Data Protection Regulation (GDPR) is an EU-wide law that comes into force on 25th May 2018, replacing the current Data Protection Act, tightening data protection regulation and increasing the penalties for a data breach. Under GDPR the maximum fine increases to €20 million, or 4% of global turnover, and Brexit isn’t going to make it go away.

GDPR places stringent obligations on an organisation around the management and use of personal data – and data protection needs to be embedded into all your business process and systems.

The requirements apply to both automated (IT) and manual systems, and businesses must demonstrate compliance with the key principles, including:

  • Data must be processed in a manner that ensures security, protecting against unauthorised access or loss
  • Data must be accurate, kept up to date, and not retained for longer than needed
  • Businesses must have the explicit consent of individuals to hold their data, with a positive opt-in, freely given and verifiable, separate to any other terms and conditions (a higher standard than currently) – which can be withdrawn at any time
  • The right of an individual to have their data erased – meaning business need to be able to identify all the data they hold about an individual and be able delete it in response to a request.

Whilst the regulation also applies to manual and paper-based systems, IT is probably where greatest risk lies and businesses and other organisations need to ensure they are adequately protected. We are all aware of the impact of recent ransomware attacks, but many experts feel that the next big ransomware threat is around GDPR – with the potential for a criminal organisation to get hold of your data and then threaten to publish it.