GDPR Made Simple

Anyone who is not involved in the world of Information Security could be forgiven for not having heard about GDPR (General Data Protection Regulation) but if you are in this field you are more likely to have heard about it and wondered how it will affect practices in your role and across the business.I will attempt to keep this as simple as possible but most of what is in GDPR is best practice. Back in the 90’s the EU stated that all members must have Data Protection laws on the handling of personal data and the UK created DPA (The Data Protection Act 98). GDPR is standardising all of the different member nation’s different rules into one.As of 25th of May 2018 these are the new rules to come into effect:Privacy by DesignPrivacy by Design (PbD) has been a part of EU data regulations for a while, but now with this new law, it’s all about minimizing the collection and retention of data and ensuring that consumers consent to their data being stored and processed.Impact AssessmentsCompanies have to know exactly where all the data on the networks is located and all data needs to be classified so the company can tell what kind of data has been breached. Companies will also need to show how the data is monitored and run an analysis of the risks to their data subject’s privacy and what impact this may have.Right to be ForgottenConsumers have always been able to ask that their data be deleted and companies no longer contact them. GDPR now extends this right to include data published on the web. This is right to stay out of the public view and be forgotten.Data LeaksA few requirement of GDPR is that companies will have to notify the Data authorities of a data breach or leak within 72 hours of being discovered. The Data subjects will also have to notified but only if the data poses a high risk to their rights, privacy and freedoms.I know what you’re thinking at this point.“But the UK voted to leave the EU (Brexit) so we don’t need to worry about this now as we are leaving the European Union.”Well you would be wrong. GDPR States that even if a company does not have a presence in the EU but collects information on people or trades with the EU, then they must meet the requirements of it. Therefore, this Law will apply to businesses outside of the EU too.“But if we are outside the EU how can they enforce this?”Well the GDPR has a serious penalty structure that could lead to fines of up to €20 million or 4% of global annual turnover for the previous financial year. That should be serious enough to make you take note if you want to continue to trade with the EU.I hope this helps simplify GDPR but if you have any questions just leave them below in the comments.