Author Gary Hibberd
The GDPR Myth
One of the biggest ‘myths’ or misunderstandings surrounding GDPR (and there are many) is that it only applies to large organisations, processing large amounts of Personal identifiable information (PII). If you’re someone who believes this, then it’s time for a reality check.
Does GDPR apply to me?
The Information Commissioners Office (ICO) has stated that the new regulations
“…applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.”
Note that the ICO does not specify size or sector. The ICO also goes on to state that the new Regulations apply to Data ‘Controllers’ and ‘Processors’. The definitions are important;
• Controller – The Organisation who establishes the ‘How’ and ‘Why’ personal data is used
• Processor – The Organisation who defines the ‘How’ will be stored, managed and security
Under the new Regulations there are additional conditions placed on the Processor (we’ll cover this in a later article) but it is interesting that the ‘Controller’ now has specific responsibilities under the new Regulations which mean that you can’t simply ‘outsource’ the risks associated to data protection.
For example, companies who have outsourced their HR/payroll functions are still the Controller. If this sounds like you, then it means that you need to assess how this data will be collected and for how long.
The new Regulation applies to controllers and processors in the EU irrespective of where processing takes place as it applies to EU (or in the future, UK) citizens. So even if you control or process data outside the UK, but it applies to UK citizens then you will still need to comply to the Regulations. This means companies like Google and FaceBook will also need to comply with the new Regulations, including gaining ‘Consent’ to hold this information (no doubt through the use of the ‘I Accept’ button!).
It is almost guaranteed that the new Regulations apply to you. Yes there are exceptions,but most are related to law enforcement criteria. For example if you write software that’s used in manufacturing, or make rubber ‘widgets’ that fit into larger ‘plastic widgets’, and you do nothing more than employ people – then it applies to you.
The new Regulations also apply to YOU, the EU/UK Citizen. You’re going to have additional rights that you can exercise on organisations who hold YOUR data. From your utility provider through to your bank, they will all need to be in touch with you to explain how, why and what data they hold about you. And if they suffer a breach, then there could be some significant problems headed their way!
So Remember: You have rights, but so do your employees and your customer
We would love to help you, ask for Gary:
Agenci Information Security is responsible for protecting businesses from cyber threats, cyber-attack, internal threats and business outages. Agenci are committed to helping business prepare for the GDPR and for putting in controls (such as ISO 27001) to prevent data breaches and cyber incidents occurring.