All UK businesses need to be prepared for new European data protection regulations which come into force next May.
If your company doesn’t actually sell products and services into the European Union, you may still have to comply with the General Data Protection Regulations (GDPR) which supersede the UK’s own 1998 Data Protection Act.
There’s a big chance you work with business partners who do hold the records of EU citizens either as employees or customers meaning the GDPR still apply. If your partners have to comply it is likely your company will have to because, as a third party, you may come into contact with the personal data of your partner’s customers through email correspondence, order forms or access to certain shared databases, for example.
The penalty for non-compliance to these new data protection rules could be as high as €20 million – or 4 per cent of your company’s annual revenues whichever is the greater meaning four times the penalty imposed by the UK Data Protection Act.
The GDPR requires any company that processes data on EU citizens to be responsible for protecting it and any data breaches must be reported within 72 hours of an incident. Current UK law does not place companies under any obligation to report such breaches.
Right to erase records
Another difference will be that the GDPR gives an individual the right to have his or her records permanently deleted from your databases.
There are many other differences which the EU’s webpages explain in detail . What it all adds up to is the fact that the GDPR will be harder to comply with which is why Microsoft has come up with a step-by-step guide – to help companies get all their ducks in a row before May 2018.
Simultaneously, it’s promoting the Azure cloud platform to help companies comply.
Microsoft defines four steps: Discover, Manage, Protect and Report.
The first step, discover, is about identifying all the personal data your company holds and knowing where it’s stored. Microsoft highlights the Azure Data Catalogue, its SharePoint Search Service and the ability to query databases using the SQL language. All these will help companies create a tidy inventory of the data they hold so that they know where it’s stored and what it’s being used for.
Step two, manage, is about managing access and use of personal data. Here Microsoft highlights the privacy-by-design and privacy-by-default methodology of its data governance strategy which keeps you in control of the data. Privacy-by-design is a very important aspect of the GDPR because Protection Impact Assessments will be mandatory under the new regulations and must be carried out when there’s a high risk to the freedoms of an individual.
The third step, Protect, is divided into establishing security controls to protect data held by your company and being able to detect and respond to data breaches. Lastly, step four, report, is about reporting data breaches and keeping the required documentation.
ISO 27001 certification helps
It’s essential for companies in Sussex and across the South East to take a close look at all data-related aspects of their business before the new regulations come into force.
A good way to achieve this is by obtaining ISO 27001 certification to demonstrate that you have a good information security management system in place.
Gary Jowett from CNC in Brighton says: “The important thing is to put IT at the top of your list of priorities. There’s less than a year left to prepare for the GDPR so all organisations need to devise and implement processes that will ensure they fully understand what personal data they store and can also document why it’s being stored and used.”