An IT Manager's Guide To GDPR

GDPR is the world's strongest data protection rule, but are you and your employees compliant with this new rule?

In this blog, we look at an IT manager's essential steps to achieving GDPR compliance.

1| What is GDPR?

At its core, GDPR is a new set of rules designed to give EU citizens more control over their personal data. It aims to simplify the regulatory environment for business so both citizens and businesses in the European Union can fully benefit from the digital economy.  (https://www.zdnet.com/article/gdpr-an-executive-guide-to-what-you-need-to-know/) 

2 | How does GDPR affect my company?

GDPR stands for General Data Protection Act. The new data law came into affect on May 25th 2018. The new law was a replacement for the 1995 data protection directive. GDPR is a new set of rules that was designed to give the EU citizens more control over their personal data.

The GDPR law applies to any company who controls or processes personal data relating to EU residents. Organisations don't have to be based in the EU to be bound to GDPR. They only need to be processing or holding data on EU residents in order for the GDPR to apply.

There are serious penalties for companies who don't comply with GDPR fines up to 4% of annual global revenue of 20 million euros, whichever is greater. Even though the UK is leaving the EU in 2019, if your business is handling EU resident data you will need to change the way your company collects, stores and uses the data.

3 |The key objectives of GDPR 

The purpose of GDPR is to provide a set of laws across all of the member countries. The regulation makes it easier for EU citizens to understand how their data is being used, as well as allowing them to raise complaints about the way their data is used, even if they aren't in the country.

-"Establish data privacy as a fundamental right for everyone (Recital 1)

-"Clarify who is responsible for data protection" (Article 3)

-"Define standards for data protection" (Article 3)

-"Mandate the principles of data protection" (Article 5)

-"Increase enforcement power" (Article 83)

 

There are 6 principles that a companies data processing will need to comply with:

GDPR principles

4 | What type of data does GDPR regulate?

GDPR regulates the collection and usage of personal data of a data subject. The personal data has to belong to a living identified person.

Personal data includes any information that can be used to indirectly identify an individual, such as user ID and location data.

Other forms of personal data include:

  1. Name
  2. Photograph
  3. Email address
  4. Bank details
  5. Social Media posts
  6. Medical information
  7. Computer data (including IP addresses, cookie data and RFID tags)

 

"If a business does not comply with the regulation then they could face a 4% fine of their global turnover or 20 million euros, whichever amount is greater" (https://www.solvelegal.co.uk/general-data-protection-regulation-gdpr/)

5 | What can my company do to comply with GDPR?

  • You need to obtain informed consent from an individual before collecting, stoning, or using their personal data.
  • The individual that you are collecting data from has the right to withdraw consent and to be forgotten.
  • The data you correct must be accurate and portable.
  • You have specific obligations if the data you store is ever breached. 

6 | How do I teach my staff about GDPR?

It's important for every member of staff in an organisation understands how their role is impacted by the GDPR regulation. Knowing where to start can be quite difficult, but the easiest and most valuable option would be finding a good security awareness training platform that offers security awareness training alongside GDPR training.

Training has to be relevant and engaging, it should also be happening on a regular basis. When businesses have cyber security on their minds, it helps to create a culture of cyber security that permeates all throughout the business. Not only will staff feel more comfortable in the business their knowledge of security risks will be of a proficient standard. 

7 | Why should I implement GDPR awareness training?

It's a well-known fact that insecurity, handling data, information and content management and so forth people often remain the weakest link. Training has been proven to reduce the risks of breaches, and human error, it also demonstrates compliance with GDPR. (Article 39 of GDPR states that staff awareness raising and training is required.)

It is crucial for employees to have as much knowledge of GDPR as possible. Whilst a certain element of the training has to generic around the GDPR, it also needs to be specific to the organisation. This is so the employees can relate the policies and procedures to their day to day roles when they are handling and processing any data.

Conclusion

It is crucial that every individual in your organisation understands how their role is impacted by the GDPR regulations and how they can also contribute towards complying with it. We have a free trial of our GDPR courses and also free GDPR and data protection posters as well... No credit card details are required.

Here is an overview of whats discussed in this blog:

  • What is GDPR?

  • How does GDPR affect my company?

  • What type of data does GDPR regulate?

  • What can my company do to comply with GDPR?

  • How can I teach my staff about GDPR?

  • Why should I implement GDPR awareness training?