What impact will reforms to the Data Protection Act have on your business, and what relevant adjustments are you likely to have to make?
Debate, Europe, Regulations
After 4 years of debate, it seems that changes to the Data Protection Act 1998 are now imminent. Many feel this is long overdue, and that rather than have several different versions of Data Protection all over Europe, a one size fits all regulation is far better. There will be further meetings in January for the new regulations, which will be followed by a 2-year transition period. However, what will these new changes mean for small businesses and organisations like yours?
Decisions, new rules, one piece of legislation
The European Union, Council, Commission and UK Parliament have spent a considerable amount of time discussing the best way forward on how to make data protection work for everybody, something that comes with new rules that are relatively easy to understand and abide by.
Why the changes?
With a fast paced digital world, keeping sensitive personal information secure has never been harder, and the current legislation (that’s now over 20 years old) is clearly no longer enough.
The new EU General Data Protection will be a one-size-fits-all set of regulations with a period of up to 2 years for bedding in for large and small businesses and organisations. Naturally, if businesses can adapt to the changes as early as possible, they’ll reap the rewards in the long-term.
What will it cover?
There are still some things to be finalised and we won’t know February what that will be, however, here are some of the changes we are aware of:
• As well as individuals, data protection regulations will protect anyone who can be identified
• After the 2 year bedding in or transitional period, it will be finalised in 2017 or 2018
• Rather than a directive followed by individual legislation in each country within the EU, there will be a single set of Regulations that cover the entire European Union but with the full force of the law. It will have immediate effect in all countries and everyone must comply.
What about countries outside the EU?
If any business operates within the EU, even if they themselves are outside of it, they will have to comply with the new regulations.
What will organisations and businesses have to do in order to comply?
Here’s what we know so far: –
What’s personal data, what isn’t?
Organisations and businesses will have to identify exactly which bits of their information contain personal information, state whether it is physically or digitally stored and in what state it’s in.
Minimise and don’t keep anything “just in case.”
There will be emphasis on minimising the amount of data you have and making sure that only that which you really need is stored rather than reams and reams of information about people that’s kept on a “just in case” basis. This reflects the current data protection principles, mainly principle 5, “personal information must not be kept for longer than is necessary.”
Structures embedded within the organisation that help deal with the Regulations
It will be important that organisations set up their own structure for data protection that will adequately handle the requirements of the new General Data Protection Regulations. It will also be required to ensure privacy of all personal data collected is built into the way it’s stored, whether that’s digitally or physically.
Explicit not assumed consent
Consent from data subjects will need to be EXPLICIT and not assumed and data subjects will be entitled to withdraw their consent completely at any time.
Under the regulations, you won’t be able to collect and store information you don’t need simply because you don’t have a policy set up in your organisation to dispose of it when no longer needed.
Are you a data processor?
Let’s consider the internet, recently it was decided by the European Court that Google were in fact data processors, and this in turn meant that people using Google have a right for their information to be forgotten, instead of held indefinitely. In the planning, is the right to erase information. However, how this fits in with the surveillance law plans draft bill in the UK, for everyone’s internet activity to be stored for a year, remains to be seen.
Under the new Regulations, if the personal information you store is encrypted, then you will be safe from notification, and this acts as a defence against data protection breaches. However, keep in mind that all personal data you store must be encrypted and in future, this will include credit cards and social security numbers.
Having Data Protection Officer has been an important part of the current Data Protection Act, and if you have an organisation with more than 250 employees, then you will still need to think about employing one. However, this may not be necessary for smaller organisations, but nothing’s been decided quite yet!
What are the benefits?
Clearly, creating one set of regulations for all the EU, rather than nearly 30 separate ones for all the European countries in the Union, has to be a good thing. It also helps to make it much less complicated and easier to understand. The Regulations also apply to firms that are based outside the EU when operating within EU markets, and this is a good thing.
So, if you’re an organisation or small business, what can you do to make sure you are complaint with the new Regulations once they come into effect in 2016?
Firstly, if you store personal information of either staff or clients digitally, then you must make sure the method you use to store it is sufficiently secure. Encryption will earn you brownie points, because if it’s suitable encryption, the opportunity to break into it is almost impossible. Of course, you can get in with the right login so always make sure your passwords are never shared with anyone and you have a good password management policy.
Good IT security is crucial
Think about security, IT security! Once it’s gone, it’s gone, and if it gets into the wrong hands, and then into the media, your business is in trouble and it could cost you dear, in terms of bad publicity and future custom. Anti-malware protection and regular system/software updates or patching is a must whether you store the information on your hard drive or in the Cloud. You must make sure your data is impregnable and suitably resistant to hacking.
If you’re worried about the security of your data with regards to the new General Data Protection Regulations (GDPR), then talk to us. If you’re concerned about your level of security and you’re interested in improving your protection measures, if you’re considering secure storage or encryption then get in touch. Make sure you’re ready for GDPR and don’t be the ones that get caught out!
As a guide to ensuring your IT infrastructure is in a good position for this, we would advise you to have a look at our ’15 Point IT Security Checklist’.
Image source: www.isoqsltd.com