EU-GDPR Part 2 – Overview

What does the GDPR cover?

The GDPR covers any information processed by your organisation in regard to a natural person or data subject. In plain English that’s any identifiable person that is still alive. The GDPR covers personally identifiable information (PII) and includes any set of information that can be used to identify a Data Subject including (but not limited to) names, addresses, email addresses and financial data.

Does it apply to my organisation?

Yes! It’s as simple as that – it applies to every organisation in the UK and Europe irrelevant of the outcome of Brexit talks.

What are the main principals of the GDPR?

The GDPR covers the collection, processing, storage and destruction of sensitive data. We’ll cover compliance in more detail in a future email but for now there are some very important principals:

  • Personal data must be processed lawfully, fairly and transparently.
  • Personal data can only be collected for specified purposes.
  • Personal data must be relevant and limited to what is necessary.
  • Personal data must be accurate and up to date.
  • Personal data must be kept in a form such that the data subject can be identified only as long as is necessary.
  • Personal data must be processed in a manner as to ensure its security.

In a nutshell – What does that really mean for my business?

It means you need to know your data in a way you have probably never considered before. You need to understand your entire data lifecycle and ensure you are compliant at each stage.

  • Collection – Have you gained consent to collect and process the data? Consent under the GDPR is very specific. If you require the data for four purposes you must gain consent explicitly for all four. Implied consent is not enough!
  • Processing – Is your use of data lawful and transparent? Is what you are doing with your data necessary and are data subjects aware of how you are utilising their information?
  • Storage – Where does your data reside – is it local or cloud based? Are appropriate controls in place to protect that data? Can you locate data about an individual if asked to provide it?
  • Transfer – If data is being transferred within and without your organisation, is it being done lawfully? Are you sure it is safe in transit and are you sure that the recipient of that data is also GDPR compliant?
  • Destruction – Are you retaining data only as long as is necessary? There is an in-built ‘right to be forgotten’ in the GDPR so destruction of data is as critical as its collection.

Where do I even start?

This can all seem a bit daunting and in truth, there is a lot of work to be done. However, it can be broken down in to manageable steps – the key is documentation! Businesses have until May 2018 to ensure compliance so there is absolutely no need to panic.

We’ve broken this down in to four concepts you need to consider:

People – Policies – Technology – Monitoring

The two most critical bits here are people and policies. There is no magic technological fix to the GDPR. Training, policies, procedures, and written contracts will always trump technical intervention. That’s not to say technical controls are superfluous. There are times when technology is absolutely the answer but technology should be implemented to address a specific risk that is not addressed by people and policies.

Blog Categories »
Blog Archives »