After 4 years of preparation the EU Parliament has finally approved the GDPR. This directive harmonises all the data protection laws across Europe and comes into effect from 25th May 2018. Heavy fines can be expected for non-compliance.

ISO_27001_and_GDPRWhat about Brexit?
If you sell goods or services to other EU members
and hold data about individuals in those countries, then you will have to comply with the new regulations. Even if you only sell within the UK, it is expected that our regulations will follow the GDPR to maintain access to the EU digital market. Some adjustments may be made once we leave the EU but the fundamental guidance is expected to remain.

What are the implications?
Organisations in breach of the regulations can be fined up to a maximum of 4% of annual global turnover or 20 Million Euros (whichever the greater). The regulations apply to both controllers and processors.

If your organisation holds personal information, you will be responsible for:
  • Identifying where the data is held
  • Managing the risks that could lead to a data breach
  • Maintaining and monitoring security
  • Implementing a robust Information Security Management System (ISMS)
Key points
There is an entire website dedicated to the new regulation and a link is provided at the bottom of this article if you need to find out more. For now, we are simply going to focus on what your business can do to help you comply with the new regulation.

The aim of GDPR is to protect all EU citizens from privacy and data breaches. That means “Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”

Conditions for consent
“Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it. Explicit consent is required only for processing sensitive personal data - in this context, nothing short of “opt in” will suffice. However, for non-sensitive data, “unambiguous” consent will suffice.”

*Taken directly from the GDPR website (link below).

The website provides detailed information about the implications of not collecting or storing data in the correct way, but does not give much guidance on how to go about preventing a data breach.

A good starting point would be to gain ISO 27001 certification. This international management standard provides a framework for your organisation to identify the risks, implement management systems and continually monitor your procedures to minimise the impact of a security breach.

ISO 27001 certification and GDPR
This international standard covers the security and protection of data and how it is used. Loss or damage could be caused by natural disasters such as fire or flood, accidental loss or mismanagement, corrupted or stolen data. The effects of any of these losses can have catastrophic consequences for organisations.

By integrating an Information Security Management System into your organisation, you will manage the risks and minimise the effect of an incident.

This proven framework will provide the management system needed to help you comply with the new GDPR.

GDPR Website: www.eugdpr.org
 
Further information is also available from:
UK Information Commissioner’s Office ico.org.uk