If you own or work within a business, you will have heard of the GDPR (General Data Protection Regulation)
On May 25th, 2018, new legislation replaced the existing Data Protection Act. It is designed to do two things; firstly, ensuring that data protection regulations are uniform across the European Union member states. Secondly to encompass emerging technology storage media such as Cloud, USB storage and off-site backup. Even if the UK does leave the EU (Brexit), the legislation will remain in place.
Some of the main changes introduced by the GDPR are:
- €10 million fine or 4% annual turnover – whichever is greater
- Right of access requests can now be verbal, with one month to comply and charges can no longer be levied
- Self-reporting is now mandatory
The Data Protection Act came into force in 1984. The ICO (Information Commissioner’s Office) are the supervisory authority whose task is to enforce the legislation. Most companies simply had to register for a Data Protection Certificate by paying a small fee and agreeing to maintain the eight principles. This was all very vague and most businesses we encounter have never applied for a certificate. As shown above, the GDPR carries much more weight than the DPA and so we urge all businesses no matter their size, to take the time to become GDPR compliant.
You will no doubt by now have received emails and mailings from companies offering a wide range of services, all alleging to keep you compliant with GDPR. Most of these companies will be using technical terms like hardware audit, port testing, encryption and principle compliance. In addition, most will charge a substantial fee for this work. BEWARE.
The ICO has (at the time of writing this article in April 2019) not authorised or accredited any training body, approved any course or provided any practical guidance on GDPR compliance. Whilst there are a couple of well-established training companies who have put together GDPR courses, the usual “bandwagon jumping” has started with companies looking to earn money from the new legislation and its implications.
The full GDPR legislation is 260 pages long (it can be downloaded here) unless you are a lawyer however, it is unlikely to make much sense. Once the legislation comes into force, no doubt there will be many initial test cases. These test cases will provide assistance on future compliance.
The Director of PC Repair Leeds has taken some of the offered courses and exams to provide us with the best training currently available. In addition, as a company, we have been accredited with a government backed Cyber Essentials certificate to prove our understanding of data security. We hope that our knowledge will ensure our clients remain compliant and that our own compliance and experience can assist others.
We have now started rolling out simple procedures to our existing business clients, which will help them prove compliance with the GDPR. The suggestions we are making do not cost very much and are more a matter of implementing procedures and policy. Some of the easy to implement solutions are:
- Encryption of all hardware
- Frequent changing of passwords
- Hierarchical data access for staff
- Application of Cyber Essentials certification
We strongly suggest you speak to a reputable IT company to ensure you are GDPR compliant. Please do not hesitate to contact us today with any questions.
REMEMBER – Ignorance is not accepted as a defence in law.