Audit, Consultancy and Education
The countdown to GDPR compliance has begun, time is quickly running out for your business to be ready for the biggest change in data protection law since it began. With the GDPR compliance deadline looming it is important to understand how your business fits against the incoming new regulation. GCC has partnered with experienced auditors, who will work with you to capture and document your current compliance status. Your business must be compliant by 25th May 2018.
What is it?
The General Data Protection Regulation (GDPR) is the new standard that has been introduced by the European Union to help improve the protection of personal data. It concerns the protection of personally identifiable data belonging to any resident of a member state. GDPR has been developed in consultation with various members of the UK and European information security community. It is what is known as a “directive”. That is, a piece of legislation that becomes law across all member states as soon as it is fully approved. As the GDPR comes into effect in 2018, it will therefore become part of the UK legislation, prior to the formal disengagement with the EU. So even though the UK voted to leave the EU in June of 2016, many organisations will still be affected by this regulation as they do business with members of EU states.
Why do we need to do it?
All personal data is valuable. Therefore, it is inevitable that Cyber Criminals want to get their hands on it. Big volumes of data is sold for illegal marketing purposes and other sinister purposes such as, taking control of information held about an individual, identity theft or terrorism. In this information driven age, it is of the utmost importance that secure systems are built and networks created to process this information. It is also vital to have a set of rules within which everyone operates. It is interesting to note the personal data is “any data relating to an individual, whether it relates to their private, professional or public life”. This can be anything from a name, photo, email address, bank details, payment card number, mobile phone identifier (IMEI code) or computer IP Address. It even applies to posts on social networking sites. Also in scope is biometric data (face, finger prints, and voice recognition), DNA, IP addresses and mobile device identifiers. Many of these pieces of unique data are being considered by UK banks for authentication purposes and consequently, it is even more important that we protect them from unauthorised access.
Anyone processing personal data belonging to a member of an EU state will need to comply with GDPR in much the same way as they have to comply with the UK Data Protection Laws. Unlike PCI, there is no central body monitoring compliance, so compliance is managed locally within each organisation. Under the GDPR, the independent Data Protection Officer (DPO) will be under a legal obligation to notify the Supervisory Authority of any infringement of the regulations without undue delay. It is also worth noting that under the new regulation any third parties which process data on someone else’s behalf will be just as accountable as the data processor.