GDPR – General Data Protection
The purpose of which is to protect personal data and regulate how organisations process, store and destroy that data.
GDPR is a European Regulation* that replaces the current Data Protection Directive** and comes into effect in May 2018.
GDPR applies to any business that holds European customer data on their systems or trades with a business in the EU.
GDPR gives consumers new rights which businesses must be able to facilitate:
- Right to be Informed – business must clearly show how personal data is used, stored and protected.
- Right to Access – business must provide access to personal data.
- Right to Rectification – any incorrect data must be corrected upon request.
- Right to Erasure / Right to be Forgotten – consumers have the right to have their data removed if you have no reason to hold it.
- Right to Restriction of Processing – consumers can restrict how their data is used.
- Right to Data Portability – consumer can ask for their data to be given in a format they choose for example in .csv format.
- Right to object to processing – A consumer can request you no longer process their data.
- Right to NOT be subject to automated decision-making – This right means a consumer can always request that decisions are made by a person and not by an automated system.
Your business must have the procedures and processes in place to meet the new consumer rights and to prevent personal data breaches.
Under GDPR, personal data breaches can result in fines of up to €20million or 4% of global turnover – whichever is the greater.
To avoid fines for your organisation and to prepare for GDPR you need to act now by doing the following:
- Identify the data you hold and retain.
- Why are you holding the data? Do you need it?
- Archive data no longer required.
- Encrypt/Obfuscate customer data.
- Ensure all policies and procedures are updated and your privacy policy is communicated and readily available.
- Create a GDPR framework within your business and ensure all staff have relevant training.
So… are you ready for GDPR?
If not and you would like assistance identifying, archiving, obfuscating or encrypting personal data on your IT systems contact us, we can help!