General Data Protection Regulations

GDPR for Small & Medium Businesses

Personal Data

Information Audit, understand what you have and how it’s used

Includes but not limited to: Name, Address, unique identification numbers, Demographics, Behavioural data, Social data, Sensor data, User generated content, CCTV.

Although only concerned with personal data, even if the data is anonymized and can be tied back to an individual, then even this information can be deemed personal.

The 3 Data Definitions

Who has what responsibility for what data

This is to recognise that not all organisations involved in the processing of personal data have the same degree of responsibility.

• The Data Subject: Your customer or your employee. This is who will be protected.
• The Data Controller: Likely to be your business where you will be responsible for the data usage, how it's handled and what happens to it.
• The Data Processor: The entity that processes personal data on behalf of the controller such as marketing, accounting, finance and HR services.

Going forward, prior to May 25 2018, you will need to ensure your General T&C’s (Subject), Employment Contracts (Controller) and any agreements with 3rd Parties (Processors).

Data Accountability & Protection

Ensure procedures are reviewed and updated

The new accountability principle in Article 5(2) requires you to demonstrate that you comply with the principles and states explicitly that this is your responsibility.

You will also be responsible for the data you hold and need to demonstrate that it complies to the Data Protection Authorities (DPA's).

You also need to make sure the Data Processors effectively protect your data.

Consent

Update all websites and legal documents and include checking systems/processesadhere to GDPR requirements

You need to ask for permission, not forgiveness. Simple T&C's & plain language for how personal data will be used.

Data Subjects must be able to withdraw consent at any time, possibly using the same interface they use initially.

Fundamental Data Subject Rights

Ensure all website T&C’s, agreement T&C’s as well as other legal documents are reviewed to adhere to GDPR

• Portability: Provide all data on a subject when requested in a portable format.
• Access & Modification: Subjects must be able to access and modify their data.
• Right to be forgotten: Subjects can request for their data to be erased.

Fine Levels

IT provider: Cover data loss and data loss prevention, patching, breach detection and notification

The GDPR introduces a duty on all organisations to report certain types of data breach to the ICO, and in some cases, to individuals. You only have to notify the ICO of a breach where it is likely to result in a risk to the rights and freedoms of individuals – if, for example, it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.

You should put procedures in place to effectively detect, report and investigate a personal data breach. You may wish to assess the types of personal data you hold and document where you would be required to notify the ICO or affected individuals if a breach occurred

• 10M EUR or 2% global turnover: Failure to comply with technical and organisational requirements such as impact assessments, breach, communications, and certifications (See articles 83(4))
• 20M EUR or 4% global turnover: Failure to adhere to core principles of data processing, infringement of personal rights, or the transfer of personal data to other countries or international organisations that do not ensure an adequate level of data protection (See article 83(5))

“If Talktalk's data breach fine (£400k) was under GDPR, it could have been £70M”

Data Breach

IT Provider: compromised network flagging

A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.

You must notify the relevant supervisory authority of a breach where it is likely to result in a risk to the rights and freedoms of individuals. If unaddressed such a breach is likely to have a significant detrimental effect on individuals – for example, result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.

Data Protection Officers (DPO)

Full time, Service / Consultant or Voluntary DPO

The DPO will be the Data Controllers and Processors who comply with data protection law and avoid the risks that organisations face when processing personal data.

Firms with over 250 employees must employ a Data Protection Officer (DPO). This person is responsible for ensuring that a business collects and secures personal data responsibly.

GDPR will also apply to small businesses under 250 employees if the processing carried out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as defined in (See article 9)

Appropriate Training

There will be a requirement to provide 3 types of training regarding GDPR to make sure you have the bases covered:

• Awareness raising and training of staff in processing operations
• Data Protection< Training to users who have permanent or regular access to personal data
• Ongoing Monitoring of training and induction training

This is about keeping the general user awareness around Data and IT security and to build strong best practices with the users.