Basics of the General Data Protection Regulations (GDPR)

The year 2017 is on its way to becoming the worst year in our history for cyber attacks. From threats that begin internally to creative ransomware and onward to the vast industrial Internet of Things, businesses and security experts all agree that this year there are going to be more creative and devastating attacks than ever before.

 

Formulating the GDPR

To combat these cyber attacks, the General Data Protection Regulation (GDPR), was formulated by the European Union in January 2012. The plan grew out of an EU directive adopted in 1995, the Data Protection Directive, which regulated the processing of personal data within the European Union.

The GDPR is due to take effect on 25th May 2018. It applies new rules on companies, government agencies, non-profit and other organisations that offer goods and services to the people who live in the European Union or who collect and analyze data which is associated with EU residents.

If a business or organisation is associated with collecting, hosting or analyzing the personal data or EU residents, the GDPR regulations require that you guarantee their ability to implement all of the GDPR requirements.

 

Basic Requirements

The GDPR requires that organisations controlling or processing personal data that is tied to EU residents to use only third-party data processors designed to meet the requirements of the GDPR for processing personal data.

The GDPR data protection authorities are still in the process of putting the final touches to the regulations and intend to approve more specific certification mechanisms, codes of conduct, and standardized clauses.

Encryption is defined by the GDPR as a protective measure which changes personal data so that it becomes unintelligible after being affected by a breach. Whether the encryption is used or not can impact the notification requirements. Additionally, the GDPR considers encryption as technically or organisationally appropriate to use in certain cases.

 

Controllers and Processors

The GDPR applies to “controllers” and “processors”. Controllers are defined as an entity that says how and why personal data can be processed. Processors act on the controller’s behalf. The GDPR requires a processor to maintain records of personal data and processing activities and assigns penalties if one is responsible for a breach.

A controller, however, is not relieved of his obligations where a processor is involved. The GDPR also places obligations on controllers to ensure that their contracts comply with the regulations.

The GDPR applies to “personal data” such as an online identifier using an IP address. The regulations apply to both automated data and manual filing systems when personal data are accessible.

 

Sensitive personal data

Personal data is defined by the GDPR as any information which is related to an identifiable person. It can include the following:

 

 

More sensitive personal data is also included in the GDPR definition such as genetic and biometric data that is normally processed to uniquely identify a person. Personal data that relates to criminal convictions and offences are not included in the definition, but there are extra safeguards built in to the regulations that apply to its processing. Personal data should be:

 

 

 

How Businesses are Affected

GDPR will apply in the UK from 25th May 2018. The GDPR contains hundreds of requirements concerning the collection, storage and use of personal information and how businesses should identify and importantly, secure personal data. In addition, it also directs how businesses should detect and report breaches of personal data and how to train employees and personnel.

If a business fails to comply with the GDPR regulations, they could face substantial fines and harm to their reputation.

 

Company Rights

The GDPR allows residents of the EU to have control over their own personal data through the use of “data subject rights.” A company can be fined up to either €20 million (approximately £17 million) or four percent of the company’s annual world-wide turnover, depending on which has the greater value. These company rights include the following:

 

 

 

Lawful processing

The GDPR defines lawful processing as having a lawful basis to process, such as consent of the data subject, the necessity of processing for performance of a contract, legal obligation or to protect the vital interests of a person or data subject or another person. Processing should also be necessary when it’s needed to carry out a task in the public interest or in the exercise of an official authority.

 

Consent

The GDPR requires that consent must be given freely as an affirmative action, be specific in nature, informed and be the unambiguous indication of the wishes of the individual. Consent can’t be simply inferred from being silent and must be separate from any other terms or conditions.

 

Rights for Individuals

The GDPR provides the following rights for individuals:

 

In most ways, the GDPR will only enforce the fact that individuals are in charge of their own data use. Many organisations have already benefited from adopting similar privacy notices allowing their customers to have real control over the destiny of their data.

Individuals who have not braced themselves to the increasing cyber attack menace may soon find themselves forced to pay attention by consumers, privacy activists, and the regulations of the GDPR.

[c2a]

Morris - Morris Treger

Great service!

Jane - Blackjack's Mill Ltd

Problem sorted thanks to Mohammad :)

Laurence - Silva Timber Products Ltd

Quick and easy as everything was done for me.

Petra - Chelsea Psychology Clinic

The guy who helped me was very polite and patient. Also helped me resolve my issue quickly.

Sangita - Banana Tree

Excellent service - Thank You!

Tony - Minerva MC

I was contacted within a few minutes of reporting the issue and within 30 minutes all was sorted. I\'m not totally IT literate but Mohammad was patient and explained everything simply.

Fran - FMC Ltd

I had an issue with Spam email that Mohammed dealt with speedily and efficiently.

Paul - Silva Timber Ltd

Quick service, e-mailed and someone phoned me back within 15 minutes.

Andy - Adams Mitchell

Very quick response, cleared issue very quickly.