The General Data Protection Regulation is a piece of EU legislation passed by the European Parliament in 2016. It is enforceable in all EU countries from May 25, 2018. Punishing fines for data misuse and breaches can reach £18million or 4 per cent of global annual turnover, whichever is higher. The UK GDPR aims to make it simpler for people to control how companies use their personal details. Strict rules mean companies will not be allowed to collect and use personal information without the person’s consent. Data includes things like a person’s name, email address and phone number, and also internet browsing habits collected by website cookies. Firms must also report any data breaches – including cyber-attacks and accidental leaks – to authorities within 72 hours. Individuals can demand a copy of all data held about them, which must be supplied within 30 days. And in some cases they can ask for any data to be deleted in a formal “right to be forgotten” law. Privacy campaigners have hailed the regulation as a new step forward for online rights, but small firms are furious about the burden of complying with the law.

With new Legislation coming on 25 May 2018 it is very important that you are fully compliant to these new rules of GDPR. We have drawn up few steps below for you to stay compliant. 

Step 1 GDPR

Look at the customer information you currently hold.
You should document what personal data you hold, where it came from and who you share it with. You will need to organise an “information audit”.

Step 2 GDPR

Check your data collecting procedures.
Ensure that the way you collect your client’s data cover all of their legal rights.
For example: Do you ask their permission to store their personal data?
Many companies take for granted that customers are “OK” with you storing their details. But unless you have asked their permission first and can prove that they have given it, you will be breaking the UK GDPR law and if your system is breached by a hack then you are in trouble. They can rightly sue you!

Step 3 GDPR

Review ALL of your privacy notices. You should review your current privacy notices. The ones on your website, the one on your emails etc…..
Then put a plan in place for making any necessary changes in time for GDPR implementation.
These are the first three steps to being GDPR compliant.
I am sure that you can already see the need for a few changes in the way you obtain and store your customers data.
And the more you think about it the more sense these changes make.
If you comply with the GDPR law it will SAFEGUARD YOU and SAFEGUARD YOUR CLIENTS from the catastrophic damage that will result from a data breach!

Step 4 GDPR

How to deal with client access requests to their data
This is basically when a client wants you to tell them what information you are storing about them. The UK GDPR law says you must have a proper procedure in place to fulfil their request.
This procedure must now include all of these points: • A description of their personal data.
• The reasons it is being stored.
• Will their data be given to any other organisations or people. • You must give them a detailed copy of the information that you are holding.
• They must be given details of the source of the data. i.e. where it was obtained, the date etc….
• You must respond to their request promptly and in any event within 40 calendar days of receiving their request.

Step 5

Is the way you process customer data lawful.
This means that you must:
• Have legitimate grounds for collecting and using the personal data; • Not use the data in ways that have unjustified adverse effects on the individuals concerned. • Be transparent about how you intend to use the data.
• Give individuals the correct privacy notices when collecting their personal data. • Handle people’s personal data only in ways they would reasonably expect. • Make sure you do not do anything unlawful with the data.

Step 6

The right way to obtain your clients consent to store their data.
The GDPR sets a high standard for obtaining your clients consent to obtain and store their data. What does consent mean? Consent means offering individuals genuine choice and control.
With that in mind here are the new GDPR rules on consent.
• Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of consent by default. • Explicit consent requires a very clear and specific statement of consent. • Keep your consent requests separate from other terms and conditions. • Be specific and granular. Vague or blanket consent is not enough. • Be clear and concise. • Name any third parties who will rely on the consent. • Make it easy for people to withdraw consent and tell them how. • Keep evidence of consent – who, when, how, and what you told people. • Keep consent under review and refresh it if anything changes. • Avoid making consent a precondition of a service.
You must check your consent practices. Recreate your consent procedure if they don’t meet the UK GDPR standard. The above rules may seem excessive but if you do get hacked and have a data breach you are required by law to inform the ICO within 72 hours. Their response will be to go through all of these points to see if you have complied with them. If you have not you will be prosecuted and fined.
You will also have to inform ALL of your clients that you have lost their data to a hacker. Their basis for suing you will be that you were not GDPR compliant. So, you must be!
Everyone who is in business needs to take these requirements seriously.

Step 7
Child Data Protection
You should start thinking now about whether you need to put systems in place to verify individuals’ ages. If you do need to store data obtained from people under 18 years of age, then you need to obtain parental or guardian consent for any data processing activity.

Step 8

Who should be Your Data Protection Officer/s
A Data Protection Officer or DPO is someone that manages and monitors your data. He will ensure that GDPR requirements are being met. It does require that they should have professional experience and knowledge of data protection law.
He will check your online security, make sure passwords are regularly changed, firewalls are working, and antivirus is regularly updated. He will be the liaison for any data protection issues.
Under the UK GDPR law, you must appoint a DPO if you:
Are a public authority.
If you carry out large scale systematic monitoring of individuals (for example, online behaviour tracking).
If you carry out large scale processing of special categories of data or data relating to criminal convictions and offences.
You may not need a DPO. But it is a good idea to have someone assigned this role anyway. Far too often data breaches occur because passwords are not changed regularly, or fire wall and antivirus software is not regularly updated. So, having someone assigned to this task may save you from a data breach.

Step 9

What to do in the case of a data breach
This is where the nightmare starts.
By law you must inform the ICO within 72 hours if you have had a data breach.
You must inform all your clients whose data has been lost and is now in the hands of hackers. You must also advise them of how they can protect themselves from the effects of their personal data being in the hands of the hackers.
You must also keep a record of any and all data breaches.
Before a Data breach occurs you MUST have in place well thought out procedures to deal with a data breach.
This what the procedures must include in responding to a data breach:
• Have in place a process to assess the likely risk to individuals as a result of a breach.
• Have a process in place to notify the ICO of a breach within 72 hours of becoming aware of it, even if you do not have all the details yet.
• Know what information you must give the ICO about a breach.
• Have a process to inform affected individuals about a breach.
• You must inform affected individuals without undue delay. How will you contact them?
• Prepare what information about a breach you must provide to individuals.
• How you will provide advice to help them protect themselves from its effects.

VERY IMPORTANT POINT:

Document all these procedures and date stamp them. This will show that you had these procedures in place BEFORE the data breach. Remember, you will only have 72 hours to report the data breach to the ICO and inform all of your clients that their data has been compromised. Before we go into that lets clear up a myth. That myth is that as long as you have good firewalls and updated anti-virus software then you are protected.

No, you are not!

Preventing a data breach is as much about using good anti data breach software as using “common sense”. Let’s talk about using common sense to prevent a data breach. Regularly change your passwords. Limit the number of people who have them, change them every week and do not send them via email to those that need them. If you can write them on a piece of paper and hand them to them. Do so. You cannot hack a piece of paper! Prevent data loss by accident. Do not move sensitive data from one device to another using external devices. i.e. memory sticks, CDs etc…….. People can lose these by accident or have them stolen. Either way you would need to inform the ICO within 72 hours. Accidents and theft still rate as a data breach. TRAIN your employees to prevent a data breach. Many data breaches occur when an employee opens an email that has a trojan, virus or other malware. They need to be trained to identify such emails. If they have access to data, then they need to learn how to keep it secure. This training needs to be done regular and be an ongoing process because people simply forget on line safety or get into bad habits and then result in data breached. Monitor what your employees are accessing on line. If your employees are using office computers to access websites, then you need to know what type they accessing? Just by being on a certain site they can “open the door” to hackers. So, restrict what your employees can use office computers for. Restrict what your employees can download, Hackers trick people into downloading material from the internet and place malware in them. This is obvious but if you do not restrict what they can download then your entire data security system is vulnerable.

Shred files:
You should shred all the files and folder that contain any sensitive data. Do not put them in the bin! Dispose of any old data storing equipment safely. Before disposing of any data storage equipment ensure that the data cannot be retrieved from it by. There is application which can retrieve information after you have deleted files.
Put restrictions on unencrypted devices:
Laptops and other portable devices that are unencrypted are prone to attack. If a laptop has sensitive data on it do not allow it to be removed from a secure environment and absolutely do not allow them to be used in public areas like hotel lobbies. These are places that hackers frequent to steal personal data.
To sum up, if you put into place these “common sense” anti-data breach procedures it will protect you and your clients and it will go a long way to convince the ICO that you have been serious about data security and this will prevent them from fining and prosecuting you if there is a data breach. Fire Walls and Antivirus software.
Every computer that is in your office needs both. This includes laptops and tablets. You must regularly update these to ensure that you have the very latest protection.
This is the first line of defence. They will highlight any suspicious activity.
Security Patches. Software systems are constantly supplying security patches so make sure that you apply them as soon as they come out.

Encryption
Encrypting data makes it useless to the hacker if they do not have the encryption key. Encrypt sensitive data but keep the key safe.

Vulnerability testing
This involves stress testing all areas of your data security system. This can involve sending mock hacking emails to your employees to see who opens the attachment. You will identify who needs extra security training. Other vulnerability tests will expose holes in your security and allow you to repair them. This can all be done remotely via software.

An activity monitoring system.
This will allow you to monitor, restrict and block all users on your network. This will keep you in control of what they are doing and can allow you to prevent risky behaviour that could cause a data breach.
Interactive on-line training videos
This can be sent regularly to each employee to keep them up to date with security procedures and help identify suspicious email and behaviour. This will remind them to be security conscious and this can go a long way to preventing a security breach.
These are all separate pieces of software that will need to be integrated to work together, an important piece of software is an Automated security software to perform all of the above tasks.

Having an automated security system has many benefits such as saving vast amounts of time and ensuring your entire security system is regularly updated.
For example, how long would it take you to manually:
* Update the firewall and antivirus software for each computer in the office.
* Apply all new security patches to every computer in the office.
* Train each employee on a regular basis on data security.
* Monitor the activity on your network actively looking for attacks and breaches.
* Perform regular vulnerability tests on your employees and data protection system.
* Keeping your entire data protection system working seamlessly together.
Having automated security software is an important element to keeping your data safe.

We hope all above information help you to understand your role and stay within UK GDPR prescribed legislation. Should you have any further questions please do not hesitate to get in touch with our team.

Get Help here

The post What is GDPR? How to Be GDPR Compliant? appeared first on Accountants High Wycombe.

The General Data Protection Regulation (GDPR) requires you to disclose certain information to people whose data you collect, use, store or otherwise “process”.

The Regulation does state what does need to be disclosed. However, it isn’t prescriptive, which has led to much confusion as exactly what level of detail to provide in a privacy notice.

There is uncertainty in three particular areas.

What data is in the scope of the Regulation?

The scope of the GDPR is personal information; that is information that could identify an individual. Context is important in deciding what personal information is.

There is some information that clearly identifies with an individual. Payroll information that lists salary by name would constitute personal information, as would salary by job title, if job titles could identify to whom salaries were paid.

Then there is information that identifies an individual only through context. Maternity pay for the business would be personal information if it were known that it related to one specific person. Maternity pay if there were several people on maternity leave over the same period might not be personal.

Distinguishing personal data becomes more difficult when there could be multiple contexts. Information relating to sole traders is an excellent example. Where information such as name and contact information is used for business, it falls outside the scope of GDPR. However, that same information might be equally used for personal reasons as well (certainly a name, and possibly a mobile telephone). Here it is not only necessary to consider what data is processed, but the context in which it is.

Similarly, information about employees is likely to be in the scope of GDPR. If you have a database that gives Mary as the customer support representative for a supplier, that is probably business data and out of scope. As soon as anything further that is personal to Mary is known (such as an e-mail conversation between you that tells you what she did at the weekend), that becomes personal data and within scope.

Categories of data, purpose and grounds for processing

GDPR only requires you to identify categories of personal data, and for each the lawful basis on which it is processed, and the purpose for processing.

The Regulation doesn’t specify how granular the information must be. At first, it may seem best to be as transparent as possible by being very specific.

However, the more specific you are, the more you confine yourself to that data or those uses. We believe the ideal balance is probably to use a reasonably wide description of a category of data (such as “contact information”) and then give specific examples as to what may be in that category (such as “telephone number and e-mail address”).

To make disclosure decisions a little more difficult, if the data subject provides you with his or her own data, you are not required to set out what this is.

In the case of data processed to carry out a contract, the categories of data, the basis and the purpose are likely to be the same. For example, the information that is given in order to allow you to perform your service (category and purpose) is likely to be processed under Contract (basis). Given that the majority of information is likely to have been given by your client, there probably isn’t much other information to disclose (to that data subject, although there might be to other related parties).

Sometimes it won’t be known what data will be processed and therefore you will not be able to be specific at all. For example, your client may be subject to a tax investigation. What information HMRC will request is unknown when you write your privacy policy, but whatever information it is will be processed (handed over) on the basis of Legal Obligation.

A last consideration on this point is that if any data subject is interested to know the specific details of what information you hold about him or her, and the basis for processing, he or she has a right to ask you. So the GDPR gives an opportunity to be specific if specificity is required. As a side note, interestingly, there are situations that don’t require you to fulfil this request.

Cookies

Cookies are a way of collecting and reading data between webpages. They are small files, placed by a web-browser through a user action on one webpage, and read or modified on another. Commonly they are used for tracking behaviour (such as the order of webpages visited), or for recording information between webpages (such as storing the answers to a set of questions on one page, for use on another).

Cookie policies have come about because at one time there was concern about their use. However, the GDPR doesn’t require any more special treatment of cookies than of any other method of data use – that is categories of data, purpose and grounds for processing. There is actually no requirement for specifically mentioning that you use cookies. Some of the data you collect using them could also be collected by other means.

If you do mention use of cookies, which is probably something that still interests data subjects, you can disclose this within your privacy policy – there doesn’t need to be a separate cookie policy page.

Nor does the depth of information you provide about cookies need to be great – just sufficient.

Cookies are an example of something about which too much information might be less useful than too little. Developers can change the parameters of cookies, such as what they do or when they expire relatively often. Many developers are third parties (for example Google, in providing its website Analytics software). Such changes can be made without telling you, requiring you to audit your cookie use often. It could be argued that detailed information that is incorrect is less useful than more generalised data that is correct. You could also argue that the average reader of your privacy policy is not interested in exactly what your cookie filenames exactly are, or what their expiry dates are, just whether you use them and briefly why.

In summary

Like so many other information disclosures (such as the many in accounting) there is a balance between disclosing too little and too much. When writing your privacy policy, what you need to ensure is that your communication of it is concise and transparent.

The post GDPR – How much to disclose in your privacy policy appeared first on Accountants High Wycombe.