04 May – GDPR- how does it affect you?

GDPR

I’m sure you’ve all seen the term GDPR (General Data Protection Regulation) being mentioned quite a lot of late, but have you yet had a chance to understand how it affects your brand? Well here’s your chance.

 

We’ve recently hosted a webinar on this very subject, so if you’d prefer to watch this, here’s the link.

 

What it means?

 

On the 25th May 2018 GDPR (General Data protection regulation) will be enforced. It has been put in place to protect as well as give customers greater power over the data that businesses hold on them. Many businesses collect customer data for monetary gain and this new law will help put a stop to this.

 

With greater security threats and breaches occurring all too frequently, it will require all businesses to handle customer data extremely carefully and be seen as doing all they can to stop data breaches and cyber-attacks occurring to their network.

 

Ian Moyse, Industry Cloud leader & Non Exec director of a GDPR training Organisation states that ‘directors of companies are going to be liable for GDPR’. Failing to comply and meet the new standards of this new law will mean fines of up to €20 million or 4% of last year’s turnover, whichever is greater. A scary thought, I know!

 

Will it affect me?

General Data Protection Regulation is the most significant law that has been enforced over the last 20 years, and will affect every business big or small across 28 counties in Europe as well as anywhere elsewhere which handles personal data on EU residents. If you come under this, it’s time to take the necessary action to stop non-compliant data activity occurring in your business, causing you to face the crippling fines.

 

To consider

There are various elements Ian Moyse mentions within this webinar which I believe you will find particularly valuable.

 

 

  • 72 hours to notify of breach- If you feel your business has experienced a data leak, with unintended individuals gaining access to users personal information you hold on them, under the new GDPR legislations you will have 72 hours to notify regional office of this breach. Failing to do this could cause your businesses to receive the maximum fine of €20 million or 4% of last year’s turnover, whichever is greater.
  • Users can ask what data you hold on them- GDPR is on the side of the individuals you hold data on, so following this new legislation, individuals will have 30 days to request what data you hold on them. This means you will need to have a system in place to quickly find and remove this data everywhere as and when required.
  • Individual can remove consent at any time- Everyone has the right to request they are removed from your database. Do you currently have the capability to remove this everywhere quickly and efficiently? Processes like this will need to be put in place to manage this transition effectively.
  • Opt out of web cookies? You will have to give visitors the right to disapprove from cookies even after they have agreed to them.
  • Users can claim compensation- Once a breach has occurred, commissions office will notify all customers affected. From this, users affected have the right to claim compensation for their data loss.
  • Opt in to all email content- Gone are the days where you can send recipients an email which contains a range of content. As per this law you will have to be explicit as to the type of content they will be receiving and they will have to opt into all of this, before you have the right to send them anything. Failing to do this will mean you’re in breach.

 

Our biggest advice to you when tackling this mountain of a task is to seek professional advice and attend an accredited training program. This will ensure you are geared up to tackle this hefty task effectively. And I wouldn’t leave it long, there will probably be lots you will have to re-evaluate.

23 February – Why you NOW need to understand GDPR if you are in or trade in Europe

GDPR-Webinar-Graphic-Social Media 500x300

With our GDPR webinar, on the 8th March which Ian Moyse (Industry Cloud leader & Non Exec director of a GDPR training Organisation) is presenting in, Ian has kindly provided us with a fantastic article to share with you all.

 

You may have heard the term GDPR (General Data Protection Regulation) and if not you certainly will. As we approach May 25th 2018, when this becomes European law, the noise around this will grow.

 

Don’t stop reading now as the acronym seems boring and not relevant to you, it is and it is !

What’s happening is that a new law will come into play across Europe, yes the UK included too, Brexit or no Brexit it will apply! This law will effect organisations with operations in the EU, those that trade from one EU country to another or those that simply trade within territory.

 

This is not another year 2000 hype where there was no impact or pain. The impact is already happening and the pain is going to get greater!

 

If you’re not sure what the GDPR is or how it will affect your business, now’s the time to start paying attention.  This is all about company’s legal liability to protect data they hold on staff, customers and in fact anyone where personal details are stored and the impact (fines £) that are going to ensure if you don’t!

 

So this encompasses cloud, on premise, IOT and mobile, no matter where you store data, if it meets the criteria of personally identifiable and relevant information then you need to comply.

 

Ignorance will not be an excuse and in fact will put you in a far worse position. Better you can demonstrate your diligence of action and how you have tried to mitigate any risk as a defence. It is good practise to be able to demonstrate that you have attended training, acted on the process recommended from it and tried to do the right thing and you have a far better chance of being treated leniently and worked with rather than against it should the worst happen.

 

There is a wealth of information and articles on GDPR available, unfortunately they mostly quickly defer to complex detailed information and do NOT give clear and plain guidance as to what it means and what needs to be done, hence stats such as “96% of businesses do not fully understand GDPR (Source : Symantec 2016 – Global Security Mag).

 

Any firm operating in the EU will need to legally comply and demonstrate that they hold personal data securely and have strong processes around this for data holding, security and destruction.

 

So let’s make this clear and simple in 3 buckets, why it is, what it is and what you need to do;

 

Data is important and you have a legal responsibility to do certain things

Data breaches hit all-time record high in 2016 with an increase of 40% over 2015! (Source Help Net Security)

 

You may have already heard about some of the high profile names who had such breaches in the last couple of few years such as Three Mobile(UK), French naval defence contractor DCNS,  Vodafone (Germany), Tesco Bank (UK) , Bundestag (Germany), the Czech Ministry of Education, the Irish Department of Social and Family Affairs,  Kiddicare (UK) and we could go on and there will be more of these stories coming for sure!

 

Data Protection Laws are long due an overhaul. For example most Data Protection Acts have not been revisited since the late 90’s at best (eg Data Protection Act, 1998), since when the world has changed radically;  the internet, cloud, and mobile changing the volume of interactions and data exchanges taking place.

 

 

What GDPR is

GDPR is the new law that requires from May 2018 (source Europa), any business that operates in the EU or handles the personal data of people that reside in the EU must implement a strong data protection policy to protect this client data. It is the EU’s way of giving customers more power over their data and less power to the organisations that collect and use such data for monetary gain. Businesses that fail to meet the new standard will face fines of up to 4% of global turnover or €20m (whichever is larger) and businesses that suffer from a data breach without having adequate measures in place will suffer the same.

 

So this is a law, something mandatory you need to take action on as a Director of a firm with Director liabilities and something that your customers care about. See this not as a threat but as an opportunity to get your ship in shape and proudly state to customers you have been on GDPR training and are taking action with processes to be a good caring supplier. Consider putting a GDPR and how we care for your data section on your website, alongside contact us and about us.

 

What Action you need to take….  (and Don’t Panic)

You need to be prepared as a business to take action now and to mitigate the risks you face.

Do not assume you are immune from a security leak of data and that you can deal with it afterwards!  By taking action now you can help reduce the risk of it happening and by taking demonstrable action, it will provide you a defensive protection should the worst happen.

 

The May 2018 deadline may seem a long way off now, but businesses must act today in order to understand what it will take for them to achieve compliance. You need to have time to do it too, and to do it without panic, whilst fitting it in alongside your day to day running of the business.

 

You need to get the ball rolling and have a plan of actions for your journey to GDPR, so that come 2018 you have no panic, no worries and can assure your customers of your compliance.

 

There is already much scrutiny from customers on non EU businesses, such as USA cloud providers operating in the region and there will be increased expectation under GDPR as more customers promote their GDPR compliance as a comfort feeling for their own customers.

 

There is much talk for example that every organization will need to appoint a Data Protection Officer and that failure to do so will expose you to possible huge financial sanctions. In some cases, this may be required. You need to understand this now, so you can construct the most effective plan to ensure you are compliant in the most effective manner for your business.

 

The last Information Commissioners Office survey found that 75% of adults don’t trust businesses with their personal data (source Alphr) So as well as being legally compliant you can also utilize this in a positive way to re-assure clients dealing with you.

 

You will find many offering 3 day courses and/or complex expensive consultancy and whilst for some this may be appropriate; the majority will allocate someone in their business to manage this process. This will often involve a day’s awareness and process training workshop, which will get you on the way with plenty of time to implement this into your business.

 

 

If you found this article interesting and would like to know more, please do register for our webinar on the 8th March, where Ian Moyse will be talking about this very topic as well as answering any questions you may have. We hope to see you there.