GDPRPINKCONNECT.COM | 0345 450 9393

Basic fundamentals of the General Data Protection Regulations

Page | 1

What does GDPR address?

GDPR's primary focus is on putting citizens and consumers first and ensuring organisations handle personal data with extreme care.

Organisations need to ensure subjects know exactly what information will be stored, what the information will be used for, who will be using the information and for how long it will be stored/used for. Personal data can be any of the following:

• Name • Email • IP Address • Location Identifier • Phone numbers • Account Numbers

There is also another type of personal data which is sensitive. This is prohibited from being processed unless explicit consent has been given. Any information that is classed as sensitive personal data, that includes:

• Biometrics data • Religious/ philosophical beliefs • Political opinions • Racial/ethnic origin

Storage and use of this type information needs to adhere to one of several conditions, these can include giving explicit consent, necessary to comply with employment law.

If you are a joint controller you will need to ensure that both controllers are clear with their purpose, means and responsibilities of their duties.

If you are found not abiding by certain articles under the regulation, you can be subject to one of two fines. The first fine is up to 4% annual turnover or up to €20 million (whichever is higher) and the second fine is up to 2% of annual turnover or up to €10 million fine (whichever is higher).

Page | 2

Who does GDPR concern?

Whether you are a controller or a processor, GDPR will affect any company worldwide that is handling personal data from residents within the EU. 

If you are a controller, you will need to clearly state why you are capturing the data, what you will be using it for and how long the data will be stored for. 

If you are a processor, you will need to ensure that all processing activities are recorded and notify the controller of any breaches that may have occurred. 

If you are providing products or services within the EU and do not have a corporate office within the EU, you will need to have a representative in the EU.

A Data Protection Officer (DPO) is needed if the organisation carries out:

- Large-scale systematic monitoring - Large-scale processing of special categories of data relating to criminal convictions/offences. - If you are a public authority.

Regardless of the criteria, it is advisable you still appoint a Data Protection Officer for good practice, but you need to ensure they have the sufficient skills to carry out their tasks. The Data Protection Officer needs to advise both the employees and the organisation of their obligations ensuring compliance with the GDPR and other Data Protection Laws. Lastly, the Data Protection Officer will be the first point of contact for customers, employees and supervisory authorities.

"Will GDPR remain after Brexit?"

GDPR will be enforced by law, even when we do leave the European Union. The ICO (Information Commissioner's Office) has made it explicitly clear that we will be keeping the General Data Protection Regulation, even if the EU flag does lose a star...

"The big question is what happens when the UK leaves the EU. The legal relationship answers are for government to give – I’m a regulator, independent of government - but they’ve made it clear that EU law will remain UK law, until the government sees fit to repeal it."

Elizabeth Denham (Information Commissioner):

Need more help?Click Here

Source: https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2017/01/gdpr- and-accountability/

Page | 3

Fri May 25 12:01 AM

Delivered

Page | 4

When does GDPR become law in the UK?

GDPR will be replacing both the Data Protection Act and Data Protection Directive, to have one regulation for all organisations to follow.

GDPR was made law on the 27th April 2016 and will be enforced from the 25th May 2018. It will be in place after Brexit, ensuring all the countries within the EU follow one regulation, this will then reduce confusion and ensure companies follow the correct regulation.

A breach is only subject to mandatory reporting if it may possibly result in risk to subjects (e.g. identity fraud). Organisations are required to notify the Information Commissioners Office (ICO) within 72 hours of identifying the breach. Organisations should then consider whether or not to notify the subjects of the breach and anyone who may be affected. If the breach has little or no impact, it doesn't require mandatory reporting to the ICO, however, this doesn’t stop the organisation reviewing their security controls and procedures that are currently in place.

The breach notification should contain; the nature of the personal data (number of subjects concerned and records concerned), both name and contact details of the Data Protection Officer, consequences that may come with the breach and finally what measures will be taken to deal with the breach and how to prevent it occurring again in the future. Failing to report the breach can result in a fine of up to 2% annual turnover or up to €10 million, whichever is higher.

25.05.2018

Page | 5

Where does GDPR cover?

GDPR is created by the European Parliament, the Council of the European Union and the European Commission. It will affect all companies dealing with any personal data within the EU, ensuring these countries outside the EU will also abide by the regulation.

Organisations should also be able to understand where Personal Data is stored and processed within the company structure - this can be achieved with data flow diagram; allowing better compliance and operational ease when dealing with Subject Access Requests, making the process easier for companies to handle and send back the appropriate information requested through a SAR. 

Page | 6

Why is GDPR becoming law?

GDPR is replacing the Data Protection Directive, introducing new requirements for companies to follow and having stricter punishments for not following the framework.

The regulation allows subjects to have more power over the personal data companies store about them, allowing subjects to submit a subject access request, requiring any information held about an individual to be shown to them.

GDPR also ensures that all business that deal with personal data within the EU have a clear framework to follow, ensuring they handle personal data competently, professionally and with care.

When it comes to collecting personal data, you need to explicitly state why you are collecting it to the subjects, ensuring that any reason given is not ambiguous.

Page | 7

How will it affect UK Companies?To prepare for GDPR you need to ensure you know exactly what information you are capturing, what the information will be used for and if any other parties will be using it. After identifying where the information will be processed and stored you can then plan on the procedures to handle the information for any Subject Access Requests and the security controls in place to protect the information.

When a subject access request occurs, you may need to give them any of the information below:

• The subject can ask for details about the processing of their personal data • Access to their personal data (what information is held and the purpose of it) • Request all the information to be removed

When it comes to security, GDPR only mentions two types of security. The first is, to ensure to have encryption in place for the personal data, this is when the data is in both rest and transit. The other type of security to have in place is Pseudonymisation, this is the process of having personal data stored to make it no longer able to identify a specific data subject without the use of supplementary information.

Additional security requirements are needed to prevent data breaches that can cause harm to the subjects (e.g. identity theft, financially). Improving the security for individual computers it is wise to have EndPoint Anti-virus software installed and active, all software to be up to date; ensure the Firewall is active and regularly updated, to ensure all (networking) that are not necessary to be closed. When it comes to the network within the company, it is vital to ensure that there is a Firewall in place and active on the boundary of the network and to ensure that the rules are only allowing permitted traffic into the network.

Page | 8

Next Steps?Looking at what to do next is vital. If you want to become GDPR compliant, you need an action plan and you need to know what you're doing.

For Expert GDPR Advice call 0345 450 993 Opt 1 and start the journey to compliance.

SUMMARY: Plan Procedures AuditPolicies and Privacy notice Demonstrate compliance DPO

Visit our site:

www.pinkconnect.com