If you own or work within a business, you should by now have heard of the GDPR. General Data Protection Regulation.
On May 25th, 2018, this new legislation will replace the existing Data Protection Act. The legislation is designed to do 2 things. Firstly to ensure that data protection regulations are uniform across the EU Member states. Secondly to encompass emerging technology storage media such as Cloud, USB storage and off-site backup. Even if the UK does leave the EU, the legislation will remain in place.
Some of the main changes introduced by the GDPR are:
- €10 million fine or 4% annual turnover – Whichever is the greatest
- Right of access requests can now be verbal, 1 month to comply and charges can no longer be levied
- Self – reporting is now mandatory
The Data Protection Act came into force in 1984. The ICO (Information Commissioner’s Office) are the supervisory authority whose task is to enforce the legislation. Most companies simply had to register for a Data Protection Certificate by paying a small fee and agreeing to maintain the 8 principles. This was all very vague and most businesses that we speak to, have never applied for a certificate. THE GDPR has more teeth than the DPA and we do urge all businesses no matter of their size, to take the time to become GDPR compliant.
You will no doubt by now have started to receive emails and mailings from companies offering a wide range of services, all alleging to keep you compliant with the GDPR legislation. Most of these companies will be using technical terms like hardware audit, port testing, encryption and principle compliance. in addition, most will be charging a large fee for this work. BEWARE.
The ICO has (at the time of writing this article in April 2018), not authorised or accredited any training body, approved any course or provided any practical guidance on compliance with the GDPR. Whilst there a couple of well established training companies who have put together GDPR courses, the usual “bandwagon” has started with companies looking to earn money from the legislation.
The full GDPR legislation is 260 pages long (feel free to download it here) and unless you are a lawyer, it is unlikely to make much sense. Once the legislation comes into force, no doubt there will be many test cases. These test cases will provide assistance on future compliance.
As the Director of PC Repair Leeds, and as the GDPR relates so closely with technology, I have taken some of the offered courses and exams to provide myself with the best training of the GDPR. In addition, as a company, we have now also been accredited with a government backed Cyber Essentials certificate to prove our understanding of data security. We hope that our knowledge will ensure our Clients remain compliant and that our that our own compliance and experience can help others.
We have now started rolling out simple procedures to our existing business Clients, which will help them prove compliance with the GDPR. The suggestions we are making do not cost very much and are more a matter of implementing procedures and policy. Just some of the easy to implement solutions are:
- Encryption of all hardware
- Frequent changing of passwords
- Staff hierarchical access
- Apply for Cyber Essentials
As a business, we strongly suggest you speak with your own I.T company to ensure they are assisting with GDPR compliance. If they are not, or you want some additional advice, please do not hesitate to contact us today.
REMEMBER – Ignorance is not accepted as a defence in law.