Oh no! More legislation designed to create more headaches for businesses! Well, I think we would agree that the protection of data and information is paramount to all of us, no? GDPR (General Data Protection Regulation) will in fact be with all of us in 2018 (May 25th to be precise, date correct at time of writing!); and so what is it you may ask?
Well in a nutshell it is a new piece of legislation from the European Union (yes it will apply to the UK as it was agreed prior to Brexit) that will supersede data protection legislation written and released prior to that date. So in the UK, the old Data Protection Act of 1998 will cease to be relevant, although as one would expect, its core principles will live on and have been further developed with some new rules and a new set of “rights”. But you will probably not want to read this all in great detail at this moment in time, I suspect that a set of headlines will suffice for now? OK here goes:
Data Protection Officer
– it will be considered very good practice to appoint a DPO in your organisation and in some cases it may be mandatory (for example if you process large amounts of sensitive data); the role of course could be incorporated into that of an Information Security Manager, Head of Compliance or other similar function.
Personal Information
– if you do not have any procedures in place for how long you keep personal information, when it gets destroyed and the method of destruction that is used, now is the time to be aware or put something in place. If you are in a management position and are not clear on what personal information you hold, then this is a good time to get some clarity.
Transparency
– are your communications with your interested parties clear, concise, honest and unambiguous? If not this will need some review. For instance if you send out marketing or sales email, individuals must be proactively asked if they want to (continue to) receive communications and must have easy access to terminating the agreement.
Incidents
– if a breach of security has been detected (and of course every effort must be made to ensure suitable detection measures are in place), and this breach threatens the personal information rights of an individual, then the incident/breach will need to be reported to the relevant parties.
So what should organisations do next? Firstly ask yourselves “who needs to know what?” Then you can ensure the relevant people are involved in your organisation’s core team. Everyone in your organisation will need to know at least something about GDPR, some more than others depending on the nature of their work.
If you already have an ISMS (Information Security Management System) with certification to ISO 27001:2013 then these changes will present less of a challenge and your ISMS may just need some development work. If you do not have an ISMS but you already have a QMS with certification to ISO 9001:2015, then incorporating GDPR into that system may be a good direction to take.
If you would like to talk to someone at Batalas about your current situation and any training needs your organisation may have, please don’t hesitate to pick up the phone or drop us a line.