What is the GDPR?
The GDPR (General Data Protection Regulation) is a regulation that has been setup in order to strengthen data protection for all businesses and individuals which use services within the European Union.
When does this regulation come into force?
The regulation will be commenced on May 25th 2018, along with an additional 2 year transitional period for all of the businesses involved to meet their guidelines and secure their systems.
What businesses need to comply with this regulation?
Any business that is based, deals with customers in or has any relationship with companies within the EU must comply with these guidelines to protect their data.
What does a business need to do to protect the data it holds?
Any business that falls under this legislation, they must already have or implement appropriate levels of security to keep their data secure. These include using:
- Full disk encryption for PC’s and laptops
- Individual file encryption for the transfer of files to prevent it from being opened by anyone other than the business.
- All data must be password protected as a basic level of prevention from unauthorized access but further procedures involving complex encryption.
- Processes such as using cryptographic keys generated by an encryption process which can generate new encryption keys whenever they are needed, rendering the old keys useless.
- Another standard procedure is the use of connecting external hard drives and USB drives to PC’s to transfer information, preventing certain files from being transferred onto drives without an admin password.
What the penalty is if you fail to protect the data you keep
If a business fails to keep the data they keep safe, the maximum they can be fined 4% of their global turn over or a potential 20 million euro fine, depends on which one is bigger. Other smaller fines include 2% global turnover fine for not having the appropriate records/documents, not notifying a higher authority about a breach or loss of information.
What protection will you need to put on the data?
When it comes to personal data such as customer data and confidential financial information being transferred must either use symmetric or asymmetric methods of encryption to prevent anyone other than the sender and the recipient to access the data. Other methods are:
- Strong key management will be required by all companies to protect their data and ensure that the deletion of any files comply with the user’s rights to have their data forgotten.
- For general storage of data on servers and hard drives, all drives should have full disk encryption and storage area network encryption to keep all data secure from everyone that doesn’t have the decryption key.
What rights the person has who’s data company holds?
The user who’s data is being stored by a company following these guidelines has the right to have their data modified or deleted at any time at their request. Also people have the right to see what data is being stored about them via an electronic copy.
How will businesses comply and what they need to do to prove they are complying?
Businesses will comply with these guidelines by ensuring that the proper procedures and implementations set forward in the regulation are in place within their business to protect their data. To ensure that they are following these guidelines, each company will be visited by Data Protection Officers which can either be an internal or an external contact. These officers will perform full checks on the company’s system and mark the systems against the standards set within the regulations.
If the business being assessed doesn’t meet the required standards, they can face a fine then will need to pay for all necessary changes that are required to meet the standards.
If you want to find out more information about this huge change to security, the government have set up a website where you can read more in-depth by reading the FAQ section here. Any other question feel free to give us a call on 0121 296 5545 or send us an email firstname.lastname@example.org