GDPR – Is focused on enhancing the security and rights of the individual.
Tamite Secure IT are focused on helping your company deliver GDPR, implementing the changes that will help you comply today and provide a strategy to keep you compliant.
It is time for companies to embrace the new regulation as it is an opportunity to re-boot your data security strategy and to demonstrate to your customers that you care about them and value their right to data privacy.
We provide all types of services from reviews through IT department support to full GDPR assessments and reports that can be included in future Data Protection strategies.We offer services tailored to each customers requirements; including.
- Introduction to GDPR
- Full assessments that include Data mapping
- Detailed reports
- Recommendations for compliance
- Full DP strategies
- GDPR workshops and seminars
- GDPR Consultancy
Brexit and General Data Protection Regulation
General Data Protection Regulation is an area of EU legislation that the UK Government will be in no hurry to unravel as part of divesting itself of the trappings of EU membership.
The announcement of the Governments’ intention to commence formal ‘divorce proceedings’ on 30th March 2017 and to invoke Article 50 of the Lisbon Treaty. This gives negotiators two years from the date of notification to conclude new arrangements. Therefore, the UK could leave the EU by December 2018 at the earliest. Consequently, there would be at least six months where UK data controllers would have to abide by all the provisions of GDPR.
Exiting the EU could and in all probability will take much longer than two years.
Even if Brexit negotiations were to be concluded before May 2018, the Data Protection Act (DPA) will living on borrowed time. Immediately after the Brexit vote the Information Commissioner (ICO) released the following statement: ‘If the UK wants to trade with the single market on equal terms we would have to prove “adequacy”.
Effectively UK data protection standards would have to be equivalent to the EU’s General Data Protection Regulation framework from 2018.
GDPR received formal adoption by the European Parliament in April 2016 and was published on 4 May in the Official Journal. As a result GDPR will be directly applicable throughout EU member states without the need for implementing legislation from 25 May 2018.
GDPR will replace the UK Data Protection Act
The arrival of GDPR will mark the demise of the UK Data Protection Act 1998 (DPA) while conformity to the old DPA will be a good starting point, the new Regulation differs in key areas and you will need to update your policies and procedures to achieve compliance with the new regime.
Some of the key changes:
- Enhanced data subjects’ rights: GDPR introduces a ‘Right To Be Forgotten’ which means that, subject to some exceptions, data subjects will be able to request that their personal data is erased by the data controller and no longer processed.
- Security breaches: GDPR requires that, as soon as the data controller becomes aware that a personal data breach has occurred, it should without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the Information Commissioner’s Office (ICO), unless the controller is able to demonstrate that the breach is unlikely to result in a risk for the rights and freedoms of individuals.
- Consent: Like the DPA, GDPR will require data controllers to have a legitimate reason for processing personal data. If they rely on the consent of the data subject, they must be able to demonstrate that it was freely given, specific, informed and unambiguous for each purpose for which the data is being processed. Silence, pre-ticked boxes or inactivity will no longer constitute consent.
- Data protection officer: Most organisations handling personal data, both data controllers and data processors, will require a data protection officer who will have a key role in ensuring compliance with the regulation.
For companies who have previously registered with the DPA and those that intend to do business within the EU, the new regulations will require your systems and processes to be compatible with the rules. These include the exchange of data with suppliers to protect customers personal and financial information. The focus on fines for data breaches are designed to make companies, of all sizes, be aware that data breaches will result in very large fines.
In the brave new world of GDPR you should be following the doctrine of Privacy by Design, this involves minimising the collection of personal data, deleting data once it is no longer necessary to hold that data and practicing restriction of access and securing data through its entire lifecycle.
If the answer to either of the following questions is ‘No’ then your company is at risk! If you have not assessed the impact of the new General Data Protection Regulation (GDPR) and are not prepared then you could face a large financial penalty!
But do not worry Tamite IT Solutions can provide you with guidance and a framework to help you answer those questions and prepare you for the impending changes.
It is widely accepted that there are 12 Key steps to assess the impact of the GDPR on your organisation and help you plan for any changes required.
- Awareness – Identify who in your organisation needs to be aware of the GDPR.
- Held Information – Identify and document what personal data you hold where it came from and who you share it with.
- Privacy Information – Review your existing privacy notices and identify what needs to change.
- Individual rights – Review your existing procedures and identify what needs to change.
- Subject access requests – Review your existing procedures and identify what needs to change.
- Processing personal data – Identify and document what types of personal data you process and the legal basis for carrying it out.
- Consent – Review your existing procedures and identify what needs to change.
- Children – Do you deal with children? If you do then review your existing procedures for verifying individuals ages and seeking parent/guardian consent.
- Data breaches – Review existing procedures for detecting, reporting and investigating data breaches.
- Data Protection by design – Familiarise yourself with the ICO guidance on privacy impact assessments and identify how and when to implement them.
- Data protection officer – Designate a data protection officer or someone to take responsibility for data protection compliance. Define where they need to sit within your organisational structure.
- International – If you operate internationally determine which data privacy supervisory body you come under.