GDPR

GDPR began in May 2018, so it is vital to understand what it is, how it will impact your business, and what you need to do to be compliant. Hallidays can support you to be prepared and protected.

Let us help you to manage the headache that is General Data Protection Regulation (otherwise known as GDPR). GDPR is the European Union's new legislation, designed to protect the data and privacy of EU citizens. It has reshaped the way all organisations manage data governance.

Much of the GDPR legislation is covered by the existing Data Protection Act (DPA), however, there are a number of additions and enhancements which mean that GDPR will have a profound impact on the business processes of all organisations, regardless of how well they comply with current data protection laws.

Without help, GDPR can be intimidating, especially when the fines for non-compliance far exceed anything that the existing law can impose. That's why we have spent a significant amount of time investigating the best ways for you to protect your business, the data you hold, and ultimately to defend the good name and reputation of your business. We've done the hard work for you so you can leave GDPR to the experts and get on with what's most important to you, working on growing your business.

Our 4-step process will help you become GDPR compliant:

1 Review your readiness

The ICO self-assessment toolkit will help you understand how your current processes of data handling will be affected. To support this guide, we have selected two GDPR specialists, that can define your scope of compliance. They will assess the data protection procedures and working practices you already have in place, and prepare a GDPR readiness programme for your organisation. This 'readiness review' may be enough to make your business compliant, however we can also recommend experts to help you implement the findings of the review. Not knowing the amount of time and money required to become GDPR compliant can be a worry, a review of your requirements will allow you to plan ahead, and relax knowing you've put systems in place.

2 Create a culture of Data and Security Awareness

It’s likely that one of the recommendations of your review will be to create or enhance awareness within your organisation. Hallidays can help you through our Cyber Wise Awareness program. This comprises a review of your organisation, to identify weaknesses in understanding, and then running comprehensive interactive courses. These courses are tailored to your business, and the specific needs of your team. This will also mean reviewing and amending key HR documentation like Contracts of Employment, employee Data Protection and Privacy Polices and fundamental requirements that will need to be addressed to comply with legal, policy, contract and process changes. If the culture surrounding data security in your organisation is right, you can move forward with confidence that everyone is working towards GDPR compliance.

3 IT Governance

GDPR will come into force before the UK leaves the EU, and the government has confirmed that the legislation will apply under UK law. This means it’s important to implement a compliance framework to ensure your IT systems support this strategy. Hallidays IT can work with you to achieve the standard you will need to fulfil your GDPR obligations, including helping you to achieve the government backed Cyber Essentials accreditation. This demonstrates your commitment to preventing hacks and breaches of your systems. By ensuring your IT systems are compliant, you can not only mitigate the risk of an attack, but you can prove your intention to prevent data breaches in the event of an investigation by the ICO.

4 Cyber Insurance

Once GDPR is law, a data breach will mean that you must report it to the ICO and inform the affected parties. Protecting and rebuilding your reputation after an attack can be costly; Cyber Insurance can provide PR support, which will help manage loss of reputation, Hallidays can put you in touch with our trusted advisor for Cyber insurance. This will support and protect your business if you experience a data breach, or are the subject of an attack by a malicious hacker that affects your computer systems. Cyber Insurance provides cover for your costs and expenses arising out of Cyber events, which gives you peace of mind that, should the worst happen, you're covered.

Frequently asked questions

What is GDPR?

GDPR stands for General Data Protection Regulation and is the new European Union Regulation set to replace the Data Protection Directive (DPD) and The UK Data Protection Act 1998.

The GDPR aims to protect the rights of EU citizens’ data, wherever in the world it is held so it is a truly global initiative. The GDPR will also supersede any and all existing data privacy and protection laws currently upheld by its member states.

When will the GDPR come into effect?

The Regulation will come into effect on the 25th May 2018.

Who does GDPR apply to?

Any organisation which processes and holds the personal data of data subjects residing in the EU will be obliged to abide by the laws set out by GDPR. This applies to every organisation, regardless of whether they themselves reside in one of the 28 EU member states if they hold data belonging to EU nationals.

There are also adequacy agreements with 12 other countries additional to the EU member states and the three EEA states whereby the EU believe that data will be protected to the same degree as currently granted by European law.

What responsibilities will companies have under this new regulation?

The rules governing how personal information is used will become much stricter and GDPR introduces regulations that significantly widen the control owners of personal data have.

This means that companies will have to clearly demonstrate that they have consent to hold personal data and justify why they need it, switching the onus from an opt out approach to ensuring that individuals opt in.

What kind of information does the GDPR apply to?

The current Data Protection Directive defines personal data as: “Any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.”

This has been extended to include your personal data online, like your IP address, physical information from your computer, such as a MAC address, online financial information and even social media posts. The GDPR will also include Sensitive personal data, which are special categories of personal data which uniquely identify a person. "This will include genetic data and biometric data.”

Under GDPR, for HR, does ‘data subject’ mean employee?

Yes, but the term ‘data subject’ goes much further than employees.

You will also need to include all data held for workers, casual and temporary staff, students, work experience

students, interns, volunteers, agency workers, contractors, sub-contractors and self-employed consultants.

Do I need to make changes to employment contracts?

If, like most employers, your employment contracts contain express contractual clauses allowing you to process data then yes, you will need to make changes.

This ‘express permission’ will no longer be sufficient.

You will need to review, and revise your employment contracts for new staff and consider how best to obtain consent for existing employees.

Do employees have any special rights under GDPR?

Yes, they have a number of specific rights including having the right to:

1 Be informed about processing;

2 Access data held about them;

3 Request rectification of data;

4 Request erasure of data;

5 Restrict processing


6 Data portability;

7 Object to processing (if consent was being relied upon for processing, or on grounds related to an employee’s ‘particular situation’ if ‘legitimate interests’ were being relied upon); and

8 Not be subjected to a decision as a result of automated decision making and profiling.

Are there any specific rules businesses should be following to ensure compliance?

Yes, Article 5 of the EU GDPR sets out six privacy principles relating to personal data:

  • Data should be processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’)
  • Data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
  • Data should be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed (‘data minimisation’)
  • Data must be accurate and where necessary kept up to date. Where data is inaccurate, it should be erased without delay
  • Data must be kept in a form that permits identification of a subject for no longer than is absolutely time necessary
  • Data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)

What will the penalties be for failing to comply with GDPR?

Failure to comply with the GDPR carries penalties that are far heavier than the current Data Protection Act (1998). However, they have introduced an approach whereby the severity of the fine will be determined by the characteristics of the breach.

Overtly not complying with GDPR or ignoring formal written warnings from the ICO will likely carry the heaviest fines. Ignorance is not an excuse and companies in violation may have to have regular data integrity audits. The maximum fine a company can face is 4% of their annual global turnover, or €20 million, whichever is the highest.

What effect, if any, does Brexit have on GDPR?

Even though UK Prime Minister, Theresa May, announced a definitive date (29th March 2017) to begin the process of leaving the European Union and Britain is set to come out of the European Union in 2019, most if not all of the GDPR is set to be adopted into UK legislation as early as December 2018.

However, regardless of how much or little Britain decides to adopt of the GDPR (and it is likely that it will be most of it), British companies will have to adhere to the exact same rules and regulations as companies located anywhere in the world, and should not expect any divergence from the GDPR concerning personal data held in the UK.

Do all organisations now have to appoint a Data Protection Officer (DPO)?

It is not necessarily compulsory for all organisations to appoint a DPO as this will be dependent upon many factors. According to the ICO, a company should appoint a DPO if:

  • You are a public company or a public authority (except for courts acting in their judicial capacity)
  • You are engaged or carry out large-scale systematic monitoring of individuals, and user data
  • Your organisation processes large volumes of personal data or carry out large scale processing of special categories of data or data relating to criminal convictions and offences

Even if you don’t appoint a DPO for your company, you must ensure that you have the resources in your organisation to comply with the obligations under the GDPR

I store my data elsewhere with a cloud provider. Am I still liable?

If you store your data with a cloud provider, you are not exempt from the GDPR and should your cloud provider fail to comply with the GDPR, you will not be able to blame them.

What rights will individuals have under GDPR?

There are 8 fundamental rights of individuals under GDPR. These are:

  • The right to be informed - Organisations must be completely transparent in how they are using ALL personal data.
  • The right of access - Individuals will have the right to know exactly what information is held about them and how it is processed.
  • The right of rectification - Individuals will be entitled to have personal data rectified if it is inaccurate or incomplete.
  • The right to erasure - Also known as 'the right to be forgotten', this refers to an individual's right to having their personal data deleted or removed without the need for a specific reason as to why they wish to discontinue.
  • The right to restrict processing - Refers to an individual's right to block or supress processing of their personal data.
  • The right to data portability - This allows individuals to retain and reuse their personal data for their own purpose.
  • The right to object - In certain circumstances, individuals are entitled to object to their personal data being used. This includes, if a company uses personal data for direct marketing, scientific and historical research, or for the performance of a task in the public interest.
  • Rights of automated decision making and profiling - The GDPR has put in place safeguards to protect individuals against the risk that a potentially damaging decision is made without human intervention. For example, individuals can choose not to be the subject of a decision where the consequence has a legal bearing on them, or is based on automated processing.

Moving forwards

We understand that the legislation can be daunting, but with our support, you can ensure that you have all the correct procedures in place, and relax, knowing you are fully compliant. This demonstrates your commitment to your team and customers to preventing hacks and breaches of your systems.

To take action now, complete our contact form. Otherwise, please call us on 0161 476 8276 or email hello@hallidays.co.uk.

“Over 72% of companies perceive reputational damage as their number one priority.”

PWC, 2016 Annual Survey

“80% of firms will not fully comply with GDPR by the time GDPR comes into force in May 2018.”

Forrester Research Company

Useful Links:

What our clients say

Awards

We use cookies on this website, you can find more information about cookies here.