Author Gary Hibberd
Ok before we start I’ll warn you this blog is about ‘Data Regulations’… Wait!! Wait! Don’t go!!
Data Protection Regulations are VERY important to you and to me. They set the basic rules on how the information you share about yourself is managed by all those who have access to it. But I worry when I hear that many business owners/leaders don’t know who the Data Protection Officer is in their own company or if they are even registered with the Information Commissioners Office, it worries me and it should worry you too.
But regulations are changing and because I know some people want to know the headlines… Here they are:
A new EU Data Regulation is coming that requires you to…
- keep a log of Data breach incidents (just like your H&S Accident Book)
- hire a Data Protection Officer (if you employ more than 250 people or process large amounts of data or sensitive data)
- be able to comply with an individual’s ‘right to erasure or to be forgotten’
- have the ability to export personal data belonging to an individual and transfer this to a place of their choosing.
In addition, if you were to suffer a major data breach you may be fined between 2% and 5% of your worldwide profit.
Interested in knowing more? Does this worry you at all? Does this matter to you? Well, yes it does…
It matters to you even if you don’t run a business, because the data we are talking about here includes YOUR data. It’s the data the government holds about you. It‘s the data the NHS is holding about you.
But if you run a business then you need to know about the new legislation which is coming from Europe; The ‘General Data Protection Regulation’ will be here by Spring 2016 and you have until 2018 to show compliance, so you better start to understand what needs doing, now. So here’s a few things to get you thinking about this topic in alittle more detail.
The GDPR introduces the concept of ‘accountability’ into EU data protection law which means Data controllers will be required to implement appropriate and effective security measures and must be able to demonstrate that these are managed effectively.
’Risk’ and ‘High Risk’
The GDPR requires data processors to assess the risks associated to the data under its control and can assign either ‘Risk’ or ‘High Risk’ to the data they hold. Depending upon the risk rating appropriate security controls and practices will need to be implemented. What ‘appropriate’ means is down to YOU to decide (and don’t say “it’s on the Cloud” and think that answers the issue – it doesn’t!). There is some guidance on this and we at Agenci will be providing more on the topic over the coming months, but will be working with the European Data Protection Board to truly understand what ‘appropriate’ is.
Data Protection by default. Data Secure by Design
The GDPR will go further than asking organisations to implement good security practices, by placing obligations on companies to put in place security-enhanced measures at the time of inception, design and build. The term ‘Privacy by Design’ will become popular over the coming months and should be asked about when talking to software and web developers – if they don’t know what it is, then send them a copy of this blog(!)
Notification of Data Breaches
So what happens when something goes wrong? When you’ve had a breach? The new GDPR requires organisations to notify both the ICO and those who have been (or may be) affected within 72 hours. But only if the breach will result in a risk for the rights and freedoms of individuals. Unfortunately the GDPR doesn’t set firm rules around how you will need to respond to a breach, so this needs to be defined by you, the data controller.
As the saying goes; Good things come to those that wait. Well we’ve certainly waited a long time for the new ‘General Data Protection Regulations’, which were finally ratified by UK Government in December 2015 and will (we hope) be passed as European legislation in April 2016.
But is the planned ‘ GDPR’ any good? Well, yes it is. I’d say GDPR, or ‘Getting Data Protection Right’ is very important. The GDPR is set to change how data is managed across the EU and is important to us as businesses but also as data subjects. GDPR is helping to set some rules around how YOUR data is shared and processed.
It’s time to take responsibility for this very important area and over the coming months Agenci will help to explain a relatively complex area and bring out the key points that you need to be aware of. So we hope we can help you and change your opinion to GDPR – ‘Getting Data Protection Right’.
Agenci is responsible for protecting businesses from cyber threats, cyber-attack, internal threats and business outages. Agenci ensures clients systems are secure and provide peace of mind through a range of proven specialist information security solutions.
Speak to a member of the team now on
03455 760 999
We would love to help you, ask for Gary Hibberd :