There been a lot of discussion lately with regards to GDPR and how it’s going to affect UK businesses, especially with the added issue of Brexit being added to the mix. After four years of hard work with overhauling the European Union’s data protection rules, the EU parliament have finally given the OK for the use of the EU General Data Protection Regulation act, otherwise more commonly as GDPR.
The important note is that although GDPR is available for use now, it’s not mandatory until the 25th May 2018, this doesn’t give a lot of time for businesses to work out what they need to do and come to terms with the new regulations.
Why is GDPR important?
The GDPR is a huge leap forward with regards to protecting your data, especially if you are based within or work with companies within the EU.
The GDPR will help EU residents ensure that their data is kept more secure, as there will now be a consistent set of regulations that apply to all EU members.
What does this mean to the UK and Brexit? Moving forward not much will change, for any UK based companies that work with or handle any EU related data, you will have to comply with the GDPR.
Additionally, we think that 2016 has been a busy year for data breaches, moving forward, under GDPR rules, any company that has had a data breach must notify the appropriate authorities within a set time frame. Additionally, bigger fines are also on the cards, up to 4% of their global revenue, these fines will penalise the companies and ensure that they shore up their IT security moving forward.
Who does it apply to?
The GDPR applies to all businesses of all sizes, anywhere in the world. If the business holds any information on EU residents, then it must be compliant against GDPR regardless.
Within the business, board and C level members need to understand that data protection is a board level issue. It’s up to them to ensure that the business complies with the law, that appropriate controls are put in place, as well as ensuring that staff awareness about cyber security matters and private data is readily available.
What do you need to do?
Companies within the UK who are registered against the Data Protection Act shouldn’t have to worry too much as the majority of controls are already in place. GDPR should not be too much of a shock, however due diligence needs to be completed to ensure that the business is ready before GDPR becomes mandatory. This is especially due for businesses which may have multiple locations.
Businesses should start reviewing their polices and ensure that they are both up to date and compliant with the new regulations. Moving forward, businesses should start looking at having Cyber Essentials and Cyber Essentials Plus accreditations as a base line security measure to show that they are at least ensuring basic controls are in place.
Companies should be proactive and ensure that any data is protected sufficiently and that it is encrypted. That access to data is restricted and that appropriate security solutions are put in place in all levels of infrastructure and kept up to date.