GDPR

General Data Protection Regulation

Are you compliant?

 

WHAT IS GDPR?

The General Data Protection Regulation (GDPR) is the European Union’s new legislation to strengthen and unify data protection for EU citizens. It will apply in the UK from 25 May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.

 

WHY IS THIS SO IMPORTANT?

The current Data Protection Directive (PDP) was enacted in 1995. Since then, both the complexity of the regulations and the public awareness have been growing hand in hand with the thriving technological progress. With many businesses operating across borders, international consistency around data protection laws and rights is crucial both to businesses and individuals. 

 

WHAT IF YOU DON'T COMPLY?

If you fail to comply with the Regulation you could find yourself being fined up to €20 million or 4% of your company’s global annual turnover, whichever figure is larger, and your reputation could be seriously damaged.

Who does the GDPR apply to?

The GDPR applies to any organisation that operates within the EU or with EU data. Organisations can be considered ‘controllers’ and/or ‘processors’.

The definitions are broadly the same as under the DPA. Controllers say how and why personal data is processed and the processors act on the controller’s behalf

 

What information does the GDPR apply to?

The GDPR applies to ‘personal data’. However, the definition is more detailed and makes it clear that information such as an online identifier – eg an IP address – can be personal data.

The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria

What is new?

The most significant addition is the accountability principle. The GDPR requires you to show how you comply with the principles – for example by documenting the decisions you take about a processing activity.

 

You are expected to put into place comprehensive but proportionate governance measures. Good practice tools such as privacy impact assessments and privacy by design are now legally required in certain circumstances.

The Basics

Data Processor

You are Data Processor if you decide:

  1. What IT systems to use to collect personal data.

  2. How to store the personal data

  3. The detail of the security surrounding the personal data

  4. The means used to transfer the personal data

  5. The means used to retrieve personal data about certain individuals

  6. The method for ensuring a retention schedule is adhered to

  7. The means used to delete or dispose of the data.

 

 

 

Data Controller

 

You are Data Controller if you:

 

  1. Collect the personal data in the first place 

  2. Decide the legal basis for doing so

  3. Decide which items of personal data to collect

  4. The purpose or purposes the data are to be used for

  5. Which individuals to collect data about

  6. Whether to disclose the data and if so, who to

  7. Whether subject access and other individuals’ rights apply

  8. How long to retain the data or whether to make non-routine amendments to the data.

Are you

Processor, Controller or both?

 

Identify your responsibilities

 

Processor Responsibilities

[Holding data on your own servers]

As a Data Processor, you will have to safeguard data and ensure data resilience to a high standard. You will have significantly more legal liability than controllers if you are responsible for a breach. These obligations for processors are a new requirement under the GDPR.

Security considerations:

Physical security of data:

The building where the servers are housed must be adequately secured against fire, flood and theft.

At least one other secure building should be used for data storage and business continuity.

Backups:

Backups are the backbone of restoration and continuity. In the unlikely event of a successful hacking or ransomware attempt affected servers are less of a problem if a backup can be restored.

Cyber resilience:

You must have a cyber resilience strategy in place to reduce the risk of data breaches. It should include enterprise-grade tools as robust firewalls, anti-malware/virus tools and monitoring against hacking and staff visiting suspicious phishing websites.

 

Controller Responsibilities

[Entering and maintaining personal data]

 

As a Data Controller, you will have to comply with rules concerning consent, access, rectification and portability of data.

Consent

Consent under the GDPR must be a freely given, specific, informed and unambiguous indication of the individual’s wishes. There must be some form of clear affirmative action – or in other words, a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity. Consent must also be separate from other terms and conditions, and you will need to provide simple ways for people to withdraw consent. Consent has to be verifiable, and individuals generally have more rights where you rely on consent to process their data.

Remember that you can rely on other lawful bases apart from consent – for example, where processing is necessary for the purposes of your organisation’s or a third party’s legitimate interests.

 

Access

The GDPR sets out the information that you should supply and when individuals should be informed. The information you supply is determined by whether or not you obtained the personal data directly from individuals. 

The GDPR clarifies that the reason for allowing individuals to access their personal data is so that they are aware of and can verify the lawfulness of the processing 

 

Rectification

Individuals are entitled to have personal data rectified if it is inaccurate or incomplete. If you have disclosed the personal data in question to third parties, you must inform them of the rectification where possible. You must also inform the individuals about the third parties to whom the data has been disclosed where appropriate. The right to erasure is also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data whether there is no compelling reason for its continued processing.

 

Portability

The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.

 

 

 

Other responsibilities

Keep a record of data operations and activities
Carry out a data Privacy Impact Assessment (PIA) for systems and projects
Consider if you will be required to designate a Data Protection Officer (DPO)
Notify the supervisory authority of a Data Breach
Review data processing processes

Implement “privacy by design” and “privacy by default”

*Extended information is available in our Support Portal.

 

Intsys Solutions

 

Helping you to comply with GDPR

Cloud

Outsource Processor responsibilities

UK Data Centres

99.99% uptime guarantee

ISO 27001 certified

ISO 9001 and 14001 certified

30 days backup

Email archiver

Easy and quick access

to archived emails

Compliance with GDPR

Easy to implement

Unlimited space

Advanced search

Messaging Intelligence

Network Security

Protect your system with a powerful solution consisting of: firewall, virus, spam and phish blocker.

Protect your system from external threats

Filter: block porn, gambling, videos, social networks, shopping sites and other inappropriate content or applications.

Tackle the challenges of a remote workforce, branch offices and guest Wi-Fi

Analysis: Detailed views of the traffic on their networks.

Do you have a Support issue?
Intsys Support Clients

020 8605 9700 (Option 1)

Live Web Chat

Interested in Support?
Try us. Log your call.
Pegasus Opera 3 accounting software

020 8605 9700

Social Media
 
 
 
 

This website and its content is copyright of Intsys UK Ltd. 

© Intsys UK Ltd 2019. All rights reserved.