GDPR for IT Managers: Legislation you need to know
Even at the best of times, keeping your organisation compliant with each and every piece of legislation can feel like an uphill battle. With new regulations on the horizon, it’s completely understandable if you feel like burying your head in sand. Unfortunately, we can’t all become ostriches, so we’ve got to find a way to deal with this regulatory change.
GDPR is one of the headline data protection changes. It’s coming into effect in May 2018, and your organisation will almost certainly need to respond to remain compliant. With the PCI-DSS Compliance changes looming, it’s no wonder why it’s so stressful to be in the IT profession at the moment.
Most believe compliance is a burden. But it doesn’t need to be overly complex, and that’s why we’ve written this article. Instead of reading the 88 pages of regulation, we’ll run through the essentials to keeping and remaining GDPR compliant. Let’s get into it.
What is the definition of GDPR?
Companies that operate throughout Europe are subject to different data protection laws. In 2012, the European Commission began planning a new “right to be forgotten”, which has since become synonymous with the General Data Protection Regulation.
But the right to be forgotten is only part of the story. There are 8 new rights for individuals in regards to their personal data – all increasing the amount of control that individuals have over their data.
If you’re solely operating in the UK, then the changes should not be overly surprising. The changes are very much in keeping with the themes introduced by the Data Protection Act, it is just increasing the level of formality to the personal data your organisation processes.
What does the GDPR legislation say?
GDPR increases the need for organisations to design-in privacy into their data processes and systems. Every piece of software and hardware your company uses should be compliant with all eight of the new rights it has introduced:
- The right to be forgotten (erasure) is perhaps the headline change. Following a 2014 case against Google, the EU commission has sought to take the power from data controllers directly into the hands of consumers. That means if you receive a request, you need to ensure that all traces of their personal data are deleted, including IP addresses and traces of card data.
- Organisations also need to provide data subjects with access. The right to access now means that consumers/individuals/data subjects have the right to review all of the personal data you have collected about them.
- Individuals also have the right to rectify any data you may hold on them. This will increase the accuracy and value of your data, but if you hold multiple records in various locations, this can cause severe data disparity internal to your organisation. You also have the responsibility to pass on these rectified records to anyone that you’ve shared the data with.
- You also need to provide data portability to any data subject that requests it. That means providing a copy of personal data you hold on individuals, in a “readable” file format. For some businesses, this could be a highly manual process.
There is also an increased need for organisations to document their data processing procedures. This is because organisations now need to be data-smart, and some public organisations will need to appoint Data Protection Officers. Here’s some more information on the purpose of their role and why data governance is now integral.
Consent is another topic of debate. You now need to gain a positive opt in to collect an individual’s personal data, this consent must be freely given and clear - in plain, understandable English. You also need to have a record of where your data subjects provided their consent, and give them an option to revoke their consent at any time. This type of formally documented processing needs to be made a priority in your company to remain compliant.
What will happen to GDPR after Brexit?
On 7th August 2017, the Government published its statement of intent to adopt GDPR through a new Digital Protection Bill. Unless something radical happens (let’s face it, it’s not out of the question!), the UK will adopt it in the same timeframe as every other EU country.
What are the punishments for violating GDPR?
The furore surrounding GDPR has been, in part, due to the monumentally huge fines that organisations of all sizes may face. For instance, TalkTalk was fined £400,000 by the ICO for allowing attackers to breach customer data “with ease” - if they were to be found guilty under GDPR, the fine could reach £59 million. No small change.
The maximum fine an organisation can face, at present, is £500,000. This is dwarfed by the new maximums, which stand at £17 million or 4% of annual global turnover. There will be no ‘cooling off period’ for the new legislation, and firms will be eligible to receive the new fines on the Friday the new legislation becomes effective.
How to comply with GDPR legislation for IT managers and professionals
Compliance will always be a worry lurking around for IT professionals, unfortunately there’s no avoiding that.
What you can do, however, is start by auditing your data and beginning to formalise all your data handling procedures. Documenting this formally will put you well on your way to getting a clear, accurate overview of how your business processes data.
You may need to undertake some form of digital transformation to become GDPR compliant, hence why becoming aware of GDPR’s implications at the earliest possible opportunity is essential.