What is GDPR?
On the 28 May 2018 the General Data Protection Regulation (simply known as GDPR) becomes enforceable law. But what is the GDPR?
GDPR essentially replaces the Data Protection Act to better cope in today’s modern world. At the heart of the law is the protection of peoples data. By ‘people’ we mean any living human being. By ‘data’ we mean any information that can identify us such as name, address, email address, postcode, telephone numbers and so on.
It essentially increases our ‘human rights’ to include our data. Here are the rights it now gives people:
- The right to keep our data to ourselves
- The right to expect no-one to have our data unless we are aware of it
- The right to give permission before data can be used
- The right to review the data
- The right to transfer the data
- The right to have the data deleted
- The right to compensation for having data mistreated
What GDPR is not?
GDPR is not a computer upgrade. It is a business policy framework that includes I.T. policies. That means that your IT system should work the way your policies intend it to. For example if you assess that you need computers to be encrypted then you must request your I.T. team to make sure this is implemented and that you assign the relevant budget to allow this to happen.
Who does GDPR apply to?
GDPR applies to any person or organisation that holds any information about a human being. It applies to all data from email address books in small businesses as much as it applies to complex databases for big organisations.
Is it EU or UK law?
It was EU law but it was one of the first laws to be ratified into UK law. Therefore it is now UK law.
What about Article 32?
There are 99 articles in the GDPR law and Article 32 is the one about ‘Security’. Essentially this is the article that relates to your computer system and it states (broken down into 5 parts):
1. Taking into account the state of the art,
That is to say that any computer system not deemed to be state of the art cannot considered to be GDPR compliant. State of the art, in our opinion, means any computer system, server, operating system and software package that is still actively supported by its manufacturers. Anything out of date and no longer supported cannot be considered state of the art or GDPR compliant.
2. the costs of implementation,
In our opinion to prove this in court would require a clear demonstration that a reasonable portion of annual turnover is spent on IT hardware, operating systems and software programs. Zero expenditure on IT systems would provide little defence in claiming compliance with GDPR.
3. and the nature, scope, context and purposes of processing
What is the data used for? The more sensitive the environment, the more effort should be asserted on the IT system. For example the NHS are expected to have stronger security systems than a cafe.
4. as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons,
All of the above should be done following a risk assessment.
5. the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk
The ‘controller’ is the organisation collecting the data, the processor is the organisation ‘using’ the data. Both shall ensure that the company policies are applied and implemented both on a business level and technical level.
As you can see the actual I.T. system plays a relatively small part in GDPR. More important on the entire system is your business’s understanding and treatment of peoples information.
Is my computer system GDPR compliant?
GDPR is about how data is treated. For example, as a business, how long are ex-employee records kept? Do ex-employees know that these records will be kept for this amount of time? Have they given their consent for this data to be kept for this duration? Is it absolutely necessary to be kept?
As you can see from the above few examples, these are related to company policies & procedures and not necessarily just IT issues. Therefore, it is not the ‘computer system’ that is compliant/non-compliant – it is the business itself and its attitude to peoples data.
What are the consequences of ignoring GDPR?
That’s a great question, and shows you’ve started your risk assessment. You may decide, as the business owner/principle, that GDPR is not worth the time or effort. But what are the consequences?
The GDPR sets out the ramifications of non-compliance very clearly. In the event that data you hold is misused or a person complains about your use of their data it states that a business may be fined up to 20 million Euros or 4% of global turnover. That’s payable to the governing body, which in the UK, is the Information Commissioners Office (ICO).
But that’s not all. The ‘person’ bringing the claim against you can claim for material and immaterial losses. That is to say that after you have been fined they will have a strong case to bring a claim for damages such as time off work, lost earnings as well as immaterial losses such as pain and suffering caused by the data loss and during the process of recovery.
A good example is a builder being unable to complete work because one of his suppliers has been hacked and can’t make deliveries for a few days. If that happens they could claim loss of earnings, penalties imposed by the client as well as compensation for the stress caused dealing with the lateness.
How can Alcom help?
Alcom can apply any policies to your computer equipment that you may require. Following your risk assessments and policy publications simply let us know what changes you would like to make to your network and we will quote you for the work required. This work is simply charged at our standard hourly rates.
If you need a GDPR consultant we are able to recommend a local GDPR consultant who can help you assess your current position, your risks and plan a strategy of compliance with you. To find out more, please contact us.
If you are unsure whether your I.T. system complies with Article 32 we offer a fixed price I.T. infrastructure assessment. We will assess your entire I.T. infrastructure and let you know which equipment currently complies with Article 32 and which equipment needs to be replaced or upgraded or reconfigured.
Limited time offer:
£995 + vat
Contact Us today for more information