The EU’s GDPR (General Data Protection Regulation) superseded all laws based on the EU’s Data Protection Directive, including the UK’s Data Protection Act 1998, on 25 May 2018. The Regulation expands the rights of individuals to control how their personal data is collected and processed, and places a range of stricter obligations on organisations, making them more accountable for data protection.
Some organisations believe that a simple privacy notice is all that is required, but the GDPR actually demands far more than that.
Complying with the Regulation will help lessen the impact of any data breach an organisation may incur. This is not only due to having effective measures in place – as mandated by the GDPR – but also due to minimising the impact on your organisation’s reputation. Organisations are also required to report certain breaches to their supervisory authority within 72 hours (in most scenarios). As a result, organisations must have the appropriate processes and controls in place so that they can not only collect and process data appropriately, but also act effectively and quickly in the event of a breach. Unfortunately, this isn’t always as easy as it seems.
Below are just a few examples of how the Regulation creates specific challenges for different sectors:
Mapping data and having records of data processing across all school systems is one of the biggest and most important changes. “Schools need to be able to demonstrate that the whole school is on board when it comes to data protection,” says Guy Dudley, Director of Advice and Legal Services at the National Association of Head Teachers. “GDPR isn’t normal ‘day-to-day’ business for schools, so they’ll have to make this change alongside all of the regular teaching and learning commitments that go on.”
The EU aims to have 80% of electricity meters converted to smart meters by 2020. As such, the volume of personal data collected in the energy sector is set to increase, with which comes the responsibility for organisations to ensure that data is collected and processed lawfully.
GPs process sensitive data on a daily basis and for a host of purposes. The majority of data is collected for medical purposes, but ‘sensitive’ data is also required to be collected out of legitimate interests, vital interests and legal obligation, to name but a few. As such, the processes adopted by NHS Scotland and private medical practices need to be robust enough to cater for the dissemination of this type of data.
The cost of non-compliance
A survey by NTT Security has revealed that two thirds of UK organisations are not ready to cope with the financial impact of a data breach. With organisations now liable for fines up to €20 million (around £18 million) or 4% of global annual turnover, whichever is greater, now is the time to act.
#BreachReady: taking your first steps to GDPR compliance
It’s not too late. First you need to know what the GDPR is and how it affects your organisation. One way to achieve this is to take dedicated training.
Sign up today for one of our training courses to equip yourself with exceptional knowledge and skills.
Meet us at Holyrood’s Public Sector event
Alternatively, you can meet with us at Holyrood’s Future of Data Protection Conference, discussing how to remain GDPR-compliant after 25 May, on 24 October 2018, where we will be panel sponsors and have a dedicated stand. The event is free for public sector organisations.