General Data Protection Regulation, or GDPR, has overhauled how businesses process and handle data. In fact, GDPR can be considered as the world’s strongest set of data protection rules, which enhance how people can access information about them and places limits on what organisations can do with that personal data.

This personal data includes information about racial or ethnic origin, political opinions, religious beliefs, membership of trade unions, genetic and biometric data, health information and data around a person’s sexual orientation.

The crucial thing about what qualifies as personal data is that it allows a person to be identified. Personal data is so important under GDPR because individuals, organisations, and companies that are either ‘controllers’ or ‘processors’ of it are covered by the law.

  • Controllers are the main decision-makers – they exercise overall control over the purposes and means of the processing of personal data
  • Processors act on behalf of, and only on the instructions of, the relevant controller.

As such, Controllers have stricter obligations under GDPR than Processors, but in essence data must be handled in line with 7 key principles: –

  1. Lawfulness, fairness, and transparency
  2. purpose limitation
  3. data minimisation
  4. accuracy
  5. storage limitation
  6. integrity and confidentiality (security)
  7. and accountability

The regulations surrounding these principles are lengthy and detailed. But, here at CTO, we can help you navigate the implications for your business.

For example, under principle 6 – Integrity and confidentiality (security), personal data must be protected against unauthorised or unlawful processing, as well as accidental loss, destruction, or damage. In plain English, this means that appropriate information security protections must be put in place to make sure information is not accessed by hackers or accidentally leaked as part of a data breach. It follows that your cybersecurity measures need to be appropriate to the size and use of your network and information systems. So, if a data breach occurs, data protection regulators can look at the company’s information security setup when determining any fines that may be issued.

Another example, when considering principle 7 – Accountability – is that the destruction, loss, alteration, unauthorised disclosure of, or access to people’s data has to be reported to a country’s data protection regulator where, it could have a detrimental impact on those who it is about.  This can include, financial loss, confidentiality breaches, damage to reputation and more.  In the UK, the ICO has to be informed of a data breach 72 hours after an organisation discovers it. An organisation also needs to tell the people the breach impacts. It is, therefore, critical for a company to have an accurate record of all systems in place, how information is processed, and the steps taken to mitigate errors. Such records will help an organisation to prove to regulators that it takes its GDPR obligations seriously.

In the UK, monetary penalties for a data breach are decided by the ICO. GDPR states that smaller offences can result in fines of up to €10 million or two per cent of a firm’s global turnover (whichever is greater). The biggest GDPR breaches can be met with more serious consequences: fines of up to €20 million or four per cent of a firm’s global turnover (whichever is greater).

Do you have concerns about your GDPR position in relation to above principles and your IT Systems?  Are you uncertain where to start or where to turn for advice?

If so, please do not hesitate to get in touch with CTO.