In the UK, The Data Protection Act of 1998 has been the sole regulatory legislation that companies based here have had to comply to. An Act of Parliament, it was introduced to protect the personal data of British citizens, by outlining exactly what businesses must do when processing their information.
On the 25th May 2018, the Data Protection Act will be replaced by the EU General Data Protection Regulation (GDPR). This is a Europe-wide set of compliance obligations, rules that will again stipulate what must happen when an organisation handles and processes data. It is widely agreed that the GDPR is a far more robust set of regulations than what is currently in place, with the main changes in the areas of child consent, privacy by design and data breach notifications.
As well as changing obligations, the potential sanctions that companies could face should they fail to meet the regulations will be changing too. Businesses will now be fined based on a percentage of their turnover, rather than their profit. For mid-tier companies in competitive marketplaces, this could have a hugely damaging effect. In sectors where margins are tight, a fine of this nature could cause irreparable damage.
Although the UK will be leaving the EU in 2017, this is unlikely to affect the GDPR. Because of its significance, there is a good chance that it will still be enforced regardless. Data must be protected, which is why the GDPR mandate focusses so vehemently on encryption. It also is clear on the importance of logging, to be sure of exactly who is accessing and interacting with the data.
The area where many organisations are likely to slip up is with storage of data. When storing information about a customer or user, it will now become your responsibility to make sure that it is being looked after appropriately by the method you use. If you are outsourcing, for example, are you certain that the third-party company you are using backs up and protects the data well enough? The cloud is a fantastic tool, but is a big potential threat as well if you are not being careful.
Truly understanding and embracing the regulation changes before they come into effect is going to be crucial to businesses keeping within the boundaries. Those most likely to fall foul will be mid-sized businesses who deal in a lot of data, but have never really thought about where to store it. Unlike under the current system, as of 2018 strong regulations will be enforced, meaning the potential for huge fines should they be ignored.
Don’t find yourself or your company under investigation simply because you haven’t understood or implemented the changes in time. Speak to Digital Pathways today, and let us help you bring your company up to date in terms of its digital security.