What is GDPR and How to Be GDPR Compliant?
The General Data Protection Regulation is a piece of EU legislation passed by the European Parliament in 2016. It is enforceable in all EU countries from May 25, 2018. Punishing fines for data misuse and breaches can reach £18million or 4 per cent of global annual turnover, whichever is higher. The GDPR aims to make it simpler for people to control how companies use their personal details. Strict rules mean companies will not be allowed to collect and use personal information without the person’s consent. Data includes things like a person’s name, email address and phone number, and also internet browsing habits collected by website cookies. Firms must also report any data breaches – including cyber-attacks and accidental leaks – to authorities within 72 hours. Individuals can demand a copy of all data held about them, which must be supplied within 30 days. And in some cases they can ask for any data to be deleted in a formal “right to be forgotten” law. Privacy campaigners have hailed the regulation as a new step forward for online rights, but small firms are furious about the burden of complying with the law.
With new Legislation coming on 25 May 2018 it is very important that you are fully compliant to these new rules of GDPR. We have drawn up few steps below for you to stay compliant.
Step 1 GDPR
Look at the customer information you currently hold.
You should document what personal data you hold, where it came from and who you share it with. You will need to organise an “information audit”.
Step 2 GDPR
Check your data collecting procedures.
Ensure that the way you collect your client’s data cover all of their legal rights.
For example: Do you ask their permission to store their personal data?
Many companies take for granted that customers are “OK” with you storing their details. But unless you have asked their permission first and can prove that they have given it, you will be breaking the GDPR law and if your system is breached by a hack then you are in trouble. They can rightly sue you!
Step 3 GDPR
Review ALL of your privacy notices. You should review your current privacy notices. The ones on your website, the one on your emails etc…..
Then put a plan in place for making any necessary changes in time for GDPR implementation.
These are the first three steps to being GDPR compliant.
I am sure that you can already see the need for a few changes in the way you obtain and store your customers data.
And the more you think about it the more sense these changes make.
If you comply with the GDPR law it will SAFEGUARD YOU and SAFEGUARD YOUR CLIENTS from the catastrophic damage that will result from a data breach!
Step 4 GDPR
How to deal with client access requests to their data
This is basically when a client wants you to tell them what information you are storing about them. The GDPR law says you must have a proper procedure in place to fulfil their request.
This procedure must now include all of these points: • A description of their personal data.
• The reasons it is being stored.
• Will their data be given to any other organisations or people. • You must give them a detailed copy of the information that you are holding.
• They must be given details of the source of the data. i.e. where it was obtained, the date etc….
• You must respond to their request promptly and in any event within 40 calendar days of receiving their request.
Is the way you process customer data lawful.
This means that you must:
• Have legitimate grounds for collecting and using the personal data; • Not use the data in ways that have unjustified adverse effects on the individuals concerned. • Be transparent about how you intend to use the data.
• Give individuals the correct privacy notices when collecting their personal data. • Handle people’s personal data only in ways they would reasonably expect. • Make sure you do not do anything unlawful with the data.
The right way to obtain your clients consent to store their data.
The GDPR sets a high standard for obtaining your clients consent to obtain and store their data. What does consent mean? Consent means offering individuals genuine choice and control.
With that in mind here are the new GDPR rules on consent.
• Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of consent by default. • Explicit consent requires a very clear and specific statement of consent. • Keep your consent requests separate from other terms and conditions. • Be specific and granular. Vague or blanket consent is not enough. • Be clear and concise. • Name any third parties who will rely on the consent. • Make it easy for people to withdraw consent and tell them how. • Keep evidence of consent – who, when, how, and what you told people. • Keep consent under review and refresh it if anything changes. • Avoid making consent a precondition of a service.
You must check your consent practices. Recreate your consent procedure if they don’t meet the GDPR standard. The above rules may seem excessive but if you do get hacked and have a data breach you are required by law to inform the ICO within 72 hours. Their response will be to go through all of these points to see if you have complied with them. If you have not you will be prosecuted and fined.
You will also have to inform ALL of your clients that you have lost their data to a hacker. Their basis for suing you will be that you were not GDPR compliant. So, you must be!
Everyone who is in business needs to take these requirements seriously.
Child Data Protection
You should start thinking now about whether you need to put systems in place to verify individuals’ ages. If you do need to store data obtained from people under 18 years of age, then you need to obtain parental or guardian consent for any data processing activity.
Who should be Your Data Protection Officer/s
A Data Protection Officer or DPO is someone that manages and monitors your data. He will ensure that GDPR requirements are being met. It does require that they should have professional experience and knowledge of data protection law.
He will check your online security, make sure passwords are regularly changed, firewalls are working, and antivirus is regularly updated. He will be the liaison for any data protection issues.
Under the GDPR law, you must appoint a DPO if you:
Are a public authority.
If you carry out large scale systematic monitoring of individuals (for example, online behaviour tracking).
If you carry out large scale processing of special categories of data or data relating to criminal convictions and offences.
You may not need a DPO. But it is a good idea to have someone assigned this role anyway. Far too often data breaches occur because passwords are not changed regularly, or fire wall and antivirus software is not regularly updated. So, having someone assigned to this task may save you from a data breach.
What to do in the case of a data breach
This is where the nightmare starts.
By law you must inform the ICO within 72 hours if you have had a data breach.
You must inform all your clients whose data has been lost and is now in the hands of hackers. You must also advise them of how they can protect themselves from the effects of their personal data being in the hands of the hackers.
You must also keep a record of any and all data breaches.
Before a Data breach occurs you MUST have in place well thought out procedures to deal with a data breach.
This what the procedures must include in responding to a data breach:
• Have in place a process to assess the likely risk to individuals as a result of a breach.
• Have a process in place to notify the ICO of a breach within 72 hours of becoming aware of it, even if you do not have all the details yet.
• Know what information you must give the ICO about a breach.
• Have a process to inform affected individuals about a breach.
• You must inform affected individuals without undue delay. How will you contact them?
• Prepare what information about a breach you must provide to individuals.
• How you will provide advice to help them protect themselves from its effects.
VERY IMPORTANT POINT:
Document all these procedures and date stamp them. This will show that you had these procedures in place BEFORE the data breach. Remember, you will only have 72 hours to report the data breach to the ICO and inform all of your clients that their data has been compromised. Before we go into that lets clear up a myth. That myth is that as long as you have good firewalls and updated anti-virus software then you are protected.
No, you are not!
Preventing a data breach is as much about using good anti data breach software as using “common sense”. Let’s talk about using common sense to prevent a data breach. Regularly change your passwords. Limit the number of people who have them, change them every week and do not send them via email to those that need them. If you can write them on a piece of paper and hand them to them. Do so. You cannot hack a piece of paper! Prevent data loss by accident. Do not move sensitive data from one device to another using external devices. i.e. memory sticks, CDs etc…….. People can lose these by accident or have them stolen. Either way you would need to inform the ICO within 72 hours. Accidents and theft still rate as a data breach. TRAIN your employees to prevent a data breach. Many data breaches occur when an employee opens an email that has a trojan, virus or other malware. They need to be trained to identify such emails. If they have access to data, then they need to learn how to keep it secure. This training needs to be done regular and be an ongoing process because people simply forget on line safety or get into bad habits and then result in data breached. Monitor what your employees are accessing on line. If your employees are using office computers to access websites, then you need to know what type they accessing? Just by being on a certain site they can “open the door” to hackers. So, restrict what your employees can use office computers for. Restrict what your employees can download, Hackers trick people into downloading material from the internet and place malware in them. This is obvious but if you do not restrict what they can download then your entire data security system is vulnerable.
You should shred all the files and folder that contain any sensitive data. Do not put them in the bin! Dispose of any old data storing equipment safely. Before disposing of any data storage equipment ensure that the data cannot be retrieved from it by. There is application which can retrieve information after you have deleted files.
Put restrictions on unencrypted devices:
Laptops and other portable devices that are unencrypted are prone to attack. If a laptop has sensitive data on it do not allow it to be removed from a secure environment and absolutely do not allow them to be used in public areas like hotel lobbies. These are places that hackers frequent to steal personal data.
To sum up, if you put into place these “common sense” anti-data breach procedures it will protect you and your clients and it will go a long way to convince the ICO that you have been serious about data security and this will prevent them from fining and prosecuting you if there is a data breach. Fire Walls and Antivirus software.
Every computer that is in your office needs both. This includes laptops and tablets. You must regularly update these to ensure that you have the very latest protection.
This is the first line of defence. They will highlight any suspicious activity.
Security Patches. Software systems are constantly supplying security patches so make sure that you apply them as soon as they come out.
Encrypting data makes it useless to the hacker if they do not have the encryption key. Encrypt sensitive data but keep the key safe.
This involves stress testing all areas of your data security system. This can involve sending mock hacking emails to your employees to see who opens the attachment. You will identify who needs extra security training. Other vulnerability tests will expose holes in your security and allow you to repair them. This can all be done remotely via software.
An activity monitoring system.
This will allow you to monitor, restrict and block all users on your network. This will keep you in control of what they are doing and can allow you to prevent risky behaviour that could cause a data breach.
Interactive on-line training videos
This can be sent regularly to each employee to keep them up to date with security procedures and help identify suspicious email and behaviour. This will remind them to be security conscious and this can go a long way to preventing a security breach.
These are all separate pieces of software that will need to be integrated to work together, an important piece of software is an Automated security software to perform all of the above tasks.
Having an automated security system has many benefits such as saving vast amounts of time and ensuring your entire security system is regularly updated.
For example, how long would it take you to manually:
* Update the firewall and antivirus software for each computer in the office.
* Apply all new security patches to every computer in the office.
* Train each employee on a regular basis on data security.
* Monitor the activity on your network actively looking for attacks and breaches.
* Perform regular vulnerability tests on your employees and data protection system.
* Keeping your entire data protection system working seamlessly together.
Having automated security software is an important element to keeping your data safe.
We hope all above information help you to understand your role and stay within GDPR prescribed legislation. Should you have any further questions please do not hesitate to get in touch with our team.