What is GDPR
The General Data Protection Regulation (GDPR) is a ruling intended to protect the data of citizens within the European Union. The GDPR will replace the current Data Protection Act (DPA) 1998, which was put in-place before major advances in information technology.
It introduces tougher fines for non-compliance and breaches, and gives people more say over what companies can do with their data. It also makes data protection rules more or less identical throughout the EU.
Who will be affected
The GDPR not only applies to organisations located within the UK but it will also apply to organisations located in and outside of the EU if they offer goods or services to. It applies to all companies processing and holding the personal data, regardless of the company’s location.
According to the GDPR directive, personal data is any information related to a person such as a name, a photo, an email address, bank details, updates on social networking websites, location details, medical information, or a computer IP address.
In a nutshell
- Collecting personal data, both B2C and B2B
- Storing personal data
- Using personal data
Who does GDPR apply to?
GDPR applies to any company that stores customer and prospective customer data, this includes data in mailboxes, servers or on the cloud.
There are data ‘controllers’ and ‘processors’. The controller says how and why data is processed and the processor stores the data. If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to securely store and protect data, maintain records of data as well as log details of all processing activities. You will have significantly more legal liability if you are responsible for a breach. These obligations for processors are a new requirement under the GDPR.
However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
GDPR Compliance Requirements
To address the GDPR compliance requirements, organisations may need to employ one or more different encryption methods within both their on-premises and cloud infrastructure environments, some of the key privacy and data protection requirements of GDPR include:
- Requiring the consent of subjects for data processing
- Anonymizing collected data to protect privacy
- Providing data breach notifications
- Safely handling the transfer of data across borders
- Requiring certain companies to appoint a data protection officer to oversee GDPR compliance
In addition, strong key management is required to not only protect the data, but to ensure the deletion of files and comply with a user’s right to be forgotten.
Organisations will also need a way to verify the legitimacy of user identities and transactions, and to prove compliance. It is critical that the security controls in place to demonstrate this.
How we can help
Taking the necessary steps to be compliant is key requirement for GDPR, as a business we followed this guide from the Information Commissioners Office (ico) to help us strengthen our processes.
avecSys can help with ‘Information Security’ part of GDPR with the following solutions:
- IT Security risk assessment of all systems
- Anti-virus & Anti-malware software for Workstations & Servers
- Central Security Management
- Enforced daily virus and malware scans on all Workstations
- Multi-Factor Authentication for Office 365
- Data backup solutions for Office 365, G-Suite, NAS devices & Servers
- Hosted Active Directory for security
- Includes automated user password resets, workstation Operating System updates, screen locking after a defined period, single user sign-on credentials for all systems / software and much more
Plus much more, all depending on systems used.
What happens if you don't comply with GDPR
Non-compliance can mean being fined by the authorities or sued by individual consumers. The financial penalties for non-compliance are bigger than for the old Data Protection Act. There’s an upper limit of €20 million or 4% of your annual global turnover, whichever is highest. The authorities can also:
- Give official warnings
- Demand audits
- Request things are fixed by a strict deadline
- Force you to destroy illegal data
- Stop you communicating with your databases
- Stop data transfers to other countries
There’s more. Non-compliance also means you don’t have a clean, warm database of customers and prospects to communicate with, which puts you at a significant marketing disadvantage.
Get in touch
If you need help with the security aspect of GDPR compliance please get in touch.
Our consultants can review your current network infrastructure and offer solutions to help keep your network secure from any potentially harmful virus and data breaches.
Disclaimer: The information contained within this page does in no way constitute legal advice. The service we can provide covers certain security measure that businesses can use to protect themselves against attacks.