The General Data Protection Regulation (EU) 2016/679 (GDPR) was implemented in May 2018 and enacted into UK law under the Data Privacy Act 2018 (DPA18). Although there are some subtle differences, organisations need to comply with both GDPR and DPA18 and need to be aware of the variations under GDPR and the broader scope of the DPA18.
While there are many similarities with prior data protection regulation, the GDPR did deliver some punchy updates, including:
- GDPR applies to anyone offering services to EU citizens, no matter where you are based
- Data minimisation – you must collect data to fulfil your purpose, and no more
- Security (Confidentiality and Integrity) – privacy by design and protected processing
- More substantial rights for data subjects, including the ability to pursue civil action
- No charges for a data subject access request (usually!)
- Mandatory breach notification where there is a risk to the rights and freedoms of individuals
- Accountability is explicit, the data controller is responsible for, and must be able to demonstrate compliance
- Fines for non-compliance - on controllers and processors – are now much more severe at up to 4% global turnover, or €20 million, whichever is greater. Take a look at some examples of ICO enforcement action here.
The UK's departure from the European Union may well herald some changes to UK regulation, however against a backdrop of stronger accountability globally, we should all expect comprehensive legislation to remain.
Many businesses found GDPR an administrative burden in 2018 and introduced steps to provide a 'quick-fix'. Unfortunately, such action is proving unlikely to achieve most organisational goals in the long term.
Our approach of understanding how you function and accepting the limitations and vulnerabilities of the systems in place means you can take appropriate precautions relevant to the data you manage.
Affordably accomplish compliance ... your GDPR journey can give you confidence in how you work.
A typical project engagement may involve three phases:
Awareness, understanding and assessment
- Have the business owners understood the requirements on them and the business?
- Do you have a Data Protection Officer, or are you sure you do not need one?
- Can you verify all physical and virtual places where you store data?
- Have you recorded your processing activities? If not, have you documented why?
- Are you reliant on Legitimate Interest and confident of your ability to prove it?
- Have you been processing fairly and transparently?
We've no doubt you've answered yes to all the above - but how have you proved and documented it?
Analyse data and flow, review system security, document all Policies, Processes and Procedures to GDPR standards
- Do internal data processing activities and your records meet the requirements of GDPR?
- Are your processes and IT solutions secure?
- Do your processors and business partners comply with GDPR?
- Have you an audit trail of processing and can you prove your data subjects can exercise their rights?
- Do you have a breach response plan?
- Are your staff prepared for a breach?
- Have you considered a Data Privacy Impact Assessment?
Regularly revising how you manage data should be a top priority
Regular audits can reduce time spent on unnecessary tasks, ensuring efficient practices are supporting rather than hindering your people.
Continually training your most valuable asset - your staff – can leverage your ‘human firewall’, turning them from a threat to well educated and sensible 'champions' of your data processing activities.
Contrary to some views, data protection is not an IT issue – that’s where Cydarity steps in. With the cooperation of your team, we take the 'defiance out of compliance' ... the path need not be a rocky one with Cydarity.
We take full responsibility for project management from start to finish, giving you the confidence to know precisely where you stand. Working to your determinants of fixed fee work or the more usual ‘project’ based daily rate, you can be sure of precisely what you are getting for your spend.