In case it slipped by unnoticed, a new piece of Data Privacy legislation came into force in May and is still likely to be implemented in the UK, regardless of our planned Brexit. Even if the UK does not ratify this or similar legislation, companies selling into the EU are still required to comply. This time around, fines for non-compliance are far from a token measure – firms can be fined up to 4% of annual global turnover for breaches.
The legislation has its roots in a number of high-profile data breaches that I’m sure you have seen in the press over the last few years. It aims to use a financial stick to make all firms much more conscientious when it comes to securing their data. In summary, the changes are:
- Reach – it catches non-EU companies processing EU data (which will be us going forward)
- Regulatory Body – a new European Data Protection Board is being set up to implement and advise
- Management – you can be asked to demonstrate compliance, conduct impact assessments etc
- Consent – be able to demonstrate that you have the owner’s permission to hold their data. Expect a new rash of check boxes when you create a new account.
- Duty to notify breaches – turn yourself in to the Data Protection Board in the event of data loss
- Right to be forgotten – individuals will have the right in certain circumstances to have their data removed from your records
So what should you be doing to prepare for GDPR?
- Examine your “chain of custody” of consumer data, looking for points of vulnerability in storage, transfer and access
- Ensure employee contracts emphasise data confidentiality and prohibit disclosure
- Check privacy notices and policies on e-commerce and web sites
- Establish a framework for accountability for data security
- Develop procedures and systems for “right to be forgotten” requests
More information and an accessible guide is available here.
STYLEman ERP can support end-to-end data encryption and database encryption to protect your data both in transit and at rest, and exceeds current PCI security requirements.