Get A Quote

[contact-form-7 404 "Not Found"]

GDPR Part II – Basic Overview

What does the GDPR cover?

The GDPR covers any information processed by your organisation in regard to a natural person or data subject. In plain English that’s any identifiable person that is still alive. The GDPR covers personally identifiable information (PII) and includes any set of information that can be used to identify a Data Subject including (but not limited to) names, addresses, email addresses and financial data.

Does it apply to my organisation?

Yes! It’s as simple as that – it applies to every organisation in the UK and Europe irrelevant of the outcome of Brexit talks.

What are the main principals of the GDPR?

The GDPR covers the collection, processing, storage and destruction of sensitive data. We’ll cover compliance in more detail in a future email but for now there are some very important principals:

  • Personal data must be processed lawfully, fairly and transparently.
  • Personal data can only be collected for specified purposes.
  • Personal data must be relevant and limited to what is necessary.
  • Personal data must be accurate and up to date.
  • Personal data must be kept in a form such that the data subject can be identified only as long as is necessary.
  • Personal data must be processed in a manner as to ensure its security.

In a nutshell – What does that really mean for my business?

It means you need to know your data in a way you have probably never considered before. You need to understand your entire data lifecycle and ensure you are compliant at each stage.

  • Collection – Have you gained consent to collect and process the data? Consent under the GDPR is very specific. If you require the data for four purposes you must gain consent explicitly for all four. Implied consent is not enough!
  • Processing – Is your use of data lawful and transparent? Is what you are doing with your data necessary and are data subjects aware of how you are utilising their information?
  • Storage – Where does your data reside – is it local or cloud based? Are appropriate controls in place to protect that data? Can you locate data about an individual if asked to provide it?
  • Transfer – If data is being transferred within and without your organisation, is it being done lawfully? Are you sure it is safe in transit and are you sure that the recipient of that data is also GDPR compliant?
  • Destruction – Are you retaining data only as long as is necessary? There is an in-built ‘right to be forgotten’ in the GDPR so destruction of data is as critical as its collection.

Where do I even start?

This can all seem a bit daunting and in truth, there is a lot of work to be done. However, it can be broken down in to manageable steps – the key is documentation! Businesses have until May 2018 to ensure compliance so there is absolutely no need to panic.

We’ve broken this down in to four concepts you need to consider:

People      –       Policies    –       Technology       –       Monitoring

The two most critical bits here are people and policies. There is no magic technological fix to the GDPR. Training, policies, procedures, and written contracts will always trump technical intervention. That’s not to say technical controls are superfluous. There are times when technology is absolutely the answer but technology should be implemented to address a specific risk that is not addressed by people and policies.

What can Geek-Guru do to help?

We are keen to stress that all of this can be done internally – it does not require external intervention to achieve compliance. That being said we also appreciate that many of our clients will not have the time or inclination to do this themselves. We have worked hard to ensure our team is up to the challenge of assisting our clients with GDPR. Just drop us a line to book a consultation!

Posted on by Geek Guru
This entry was posted in Data Privacy (EU-GDPR), It 4 business, IT Security. Bookmark the permalink.