who is responsible for GDPR

Who Is Responsible For GDPR?

00Business Risk, Cyber Security, GDPR, Supply Chain Risk

Just who is responsible for GDPR in a company?… Everyone starting at board level down…

GDPR In The Press

There was a flurry of press coverage, interviews, radio and TV coverage recently as the ICO began their campaign to make businesses and other organisations aware that there is now less than 200 working days until the EU General Data Protection Regulation (EU GDPR) and the new UK Data Protection Act become law on the 25th May 2018.

But here at Risk Evolves HQ we sighed with frustration and gnashed our teeth that the wonderful BBC continue to report this as a technology story.

Once more the responsibility for all things data related is expected to fall on the shoulders of the much maligned IT Department / Provider. As we have highlighted previously, the entire organisation has a responsibility.

Who Will Be Affected By GDPR?

The EU GDPR will touch every aspect of the organisation and it is important that organisations begin to work on a strategy now. And we very deliberately say ‘organisation’ as the new laws apply to all organisations – commercial, public sector, charities, not for profit, education, SME’s, sole traders – you name it, it is likely to affect you. In brief, anyone who collects and processes data, regardless of organisations sector and size. And regardless of whether it’s digital (ie. on a computer) or on paper.

The EU General Data Protection Regulation (EU GDPR) and the new UK Data Protection Act become law on the 25th May 2018.

The golden rule – if you have data that can identify an individual, then the data is personal. This could be through name, address, IP address, finger print etc. Personal information needs to be treated and respected in the same way as any other company asset. With care and respect, protecting it from damage or theft.

 

Why is GDPR more than just an IT Manager’s Issue?

  • Human Resources / Personnel : they should manage starters and leavers to the organisation, ensuring that new starter information is correctly managed, that employment contracts and induction programmes  make individuals aware of their responsibility to manage data as an asset. They may need to gain consent from the individual for DBS checks, DVLA checks and gain authorisation to process data for payroll, reassuring them that it will not be misused. If you provide information to pension providers, or companies that provide health care benefits, are their systems secure ? What are they doing as data processors to protect individuals information?
  • Training : the on-going education and training of staff to ensure that they understand how data can and cannot be managed. This needs to include information on what to do if they think that they have lost data
  • Procurement : they should ensure that any 3rd parties who may be used to process data follow the same ethos, that the data is protected, not shared with others, and that only the information that is required is passed to them. Equally, if they lose data, suffer a ransomware attack or suspect that their systems have been compromised,, how will this be communicated to you as the data controller ? And if you have outsourced your IT, does the provider have the correct processes and systems in place to manage your data securely ?
  • Legal : are the contracts that are in place with Customers and suppliers robust enough in the new era ?
  • Marketing : similar to the current legislation, marketing has to change to ensure that customers who have positively opted in to mail (both online and postal) campaigns receive emails,
  • Security : is the office and other premises secure ? How is physical data (ie. paper, old laptops etc) destroyed ?

…. The list goes on ..

Management NEED To Take Ownership Of GDPR

However, absolutely key, the management team need to demonstrate to customers and employees that they are serious about the new legislation by taking ownership for ensuring the resources are available to support. This responsibility cannot be abdicated, and in some instances, they will need to assign the role of  Data Protection Officer to an individual who can join them at Board level.

This is clearly not solely a technology challenge !  It is possible to avoid the over reported threat of fines by taking some straight forward and pragmatic steps now.

We understand that these changes all sound daunting, regardless of the size, sector or turnover of your organisation. However, help is at hand. Contact us to find out how the new legislation and regulations apply to your organisation, and for information on our no nonsense approach to becoming compliant.

Contact Us Now

 

Complying To GDPR

What Are The Consequences Of Not Complying To GDPR?

00Business Risk, Cyber Attack, Cyber Security, Data breach, GDPR, IASME, ISO27001, Latest news, Risk Education, Risk Management

So what are the consequences of not complying to the EU General Data Protection Regulations ?

I recently wrote a blog ‘What is GDPR and why do you need it?’ to highlight the real meaning behind why data protection is changing.

What Are The Consequences Of Not Complying To The GDPR?

The UK Government and Information Commissioners Office (ICO) have declared that no new legislation will be introduced to cover the growing threat of cybercrime as this is a business owner responsibility to address.

What they will enforce though is legislation about the use of data… If data is protected then at least any cyber-attacks will mean that personal data is (or should be) protected and safe.

What Are The GDPR Fines Or Punishment?

So the focus is on the GDPR and the penalties for non-compliance are eye watering

  • Infringement of Articles 5, 6, 7 and 9 carries a penalty fine of up to €20M or up to 4% of total global revenue of the preceding year, whichever is greater.
  • Infringement of Articles 8,11, 25-39, 42 and 43 carries a penalty fine of up to €10M or up to 2% of total global revenue of the preceding year, whichever is greater

In summary, we know that the GDPR is coming, that it will become law in May 2018, that it is important, that it should not be ignored and that there will be some pain if we fall short.

You need to comply to the GDPR so the question is…

More info

GDPR the new legislation

What is GDPR and why do you need it?

00Business Risk, Cyber Security, Data breach, GDPR

Why Do We Need the EU GDPR?

The European Union General Data Protection Regulations (or EU GDPR for short) is the update to the current UK Data Protection Act. It will impact all business and how we deal with data online.

Current Data Protection legislation was launched in 1998 and has improved the way businesses control our personal or sensitive data.

Increasingly if you are like me, you find yourself questioning on a daily basis, why more and more people are able to gain my details and send me junk mail and spam, or monitor my activity on websites.

How is this possible if I have ticked the TPA exclusion boxes or put exclusions on my BT line?

The fact is that data protection requirements were written for a different time, so what was a compliant use and retention of data is now not fit for purpose.

Perhaps the legislation was not unreasonable in 1998…….

Where were you 20 years ago? You may have had a computer with a floppy disk and a processor far less powerful that a mobile device today.

I still have my BBC commodore so can quickly prove this to be true!!

  • There was also no Facebook no Google, no Twitter, Instagram to name a few.
  • An iPad didn’t exist, a tablet was still something prescribed by your doctor.
  • Robotics amounted to watching K-9 on Dr Who!

In fact, everything was different … including control and access to data.

Bring the clock forward to a far more technologically advanced world…

More info