The creators of isology®

ISO 27002 was recently updated this year – along with a reduction of overall controls, 11 completely news ones were added to keep up with new and emerging technology.

One of the new controls added under the technological category, is something called Data Masking. But what does this mean exactly?

Steve Mason joins us again today to delve deeper into data masking to explain what it is, why it’s so important and details a few of the different types of data masking

You’ll learn

• What is data masking?
• Why is data masking important?
• How does data masking work?
• What are the different types of data masking?

Resources

• ISOlogy Hub
• Blackmores

In this episode, we talk about:

[01:33] The purpose of data masking according to ISO 27002 – Now more clearly defined when compared to earlier versions

[02:55] A brief overview of PII (Personally Identifiable Information)     

[03:52] A summary of the defined attributes of data masking     

[05:25] What is data masking? Including definitions for obfuscation, data anonymization and pseudonymisation

[08:50] The benefits of having a more clearly defined control for protecting PII

[09:35] Other standards where data masking is applicable – ISO 27017, ISO 27018 and ISO 27701  

[11:27] Why data masking is so important currently

[12:40] How data masking works in practice  

[13:10] Static data masking –  data is masked in an original database then duplicated into a test environment

[13:34] Dynamic data masking – The original sensitive data remains in the repository. Data is never exposed to unauthorised users, contents are shuffled in real-time on-demand to make the contents masked

[14:50] On the fly data masking – Masking data while it is transferred from production systems to test or development systems before the data is saved to disk.

[15:55] Techniques for data masking include – Substitution – Businesses substitute the original data with random data from supplied or customised lookup file.

[16:15] Shuffling – Businesses substitute original data with another authentic-looking data but they shuffle the entities in the same column randomly.   

[17:09] Number and date variances – For financial and date-driven data sets, applying the same variance to create a new dataset doesn’t change the accuracy of the dataset while masking data.

[17:56] Encryption is still the number one method for data masking

[18:40] Character scrambling – This method involves randomly rearranging the order of characters. This process is irreversible so that the original data cannot be obtained from the scrambled data.

[19:50] Other forms of data to take into consideration – Protected health information, Payment card information, Intellectual property and Company specific Information

[23:02] How GDPR promotes data masking

Download our ISO 27002 changes Quick Guide here:

Just a reminder, we’re offering 6 months free access to the isologyhub for anyone who signs up to an ISO Support Plan!

We’d love to hear your views and comments about the ISO Show, here’s how:

• Share the ISO Show on Twitter or Linkedin
• Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud

BS 10012 is a British standard that outlines the specifications for a Personal Information Management System (PIMS). This was introduced in 2009 to help organisations manage personal information and comply with data protection laws. 

The standard was updated in 2017 to reflect the GDPR’s requirements, making it an ideal framework for regulatory compliance. For example, it includes specific guidance on each principal, helping organisations meet the requirements of BS10012 and GDPR. 

After implementing BS 10012 for a number of organisations, here are our Top tips on implementing BS 10012.

• Establish a PIMS team – this is not a one-person job.  You will need to have input from all areas that are involved with personal data.
• Carry out a Privacy Impact Assessment – It is important to understand where all the personal identifiable data is within the organisation, how it is collected and how it is disposed.  (remember this is all Data – soft and hard copies – get in to all the drawers and cupboards)
• Data mapping – collate the information on a data matrix, this would show all the information in one place.
• Carry out a risk assessment – the data matrix will flag up any risks that need addressing
• Update documentation – Ensure all documents are updated i.e data protection policies, cookie policy and privacy policy.
• Training, training and more training – people are the weakest link, ensure ALL staff have had BS 100012 training
• Conduct Internal Audits – to verify compliance and check your systems are effective. 

Implementing a PIMS can be challenging so if you would like assistance please contact us for further information on: enquiries@blackmoresuk.com

Step 1 – Conduct a Privacy Impact Assessment (PIA)

Why?

Enables you to identify all the processes/activities that involve personal data and demonstrates to the ICO that you have carefully considered personal data within your business.

 How?

Complete a PIA for each information stream in your business, we have a host of template documents to help you and your business comply, contact us for further information.

Step 2 – Data Protection Policy Statement

Why?

This policy is your commitment/statement of intent as an organization to Data protection

How?

If you don’t have a DPS you will need one, then you need to consider if it needs to be publicly available or internal only. You should send it to new and prospective clients and share with suppliers.

Step 3 – Data Retention Policy & Data Retention Schedule

Purpose:

Data Retention Policy – This is required to support the creation, retrieval, proper storage and preservation of essential personal data records, and to enable identification and destruction of information where there is no continuing business, legal or historical significance.

Schedule – This schedule defines the different types of records typically found in businesses.  It may not capture all the personal data/records that you may have in your company.  Where any are missing, you need to add these to the ‘Other’ tab within the document.   The schedule defines any legal retention requirements/ guidance on best practice from the ICO.

Action: Make the Policy and schedule available to staff.

Step 4 – Privacy Policy Template

Why?

In the interest of transparency (a GDPR principle requirement), you are required to provide privacy information to data subjects when you are collecting their personal data.  Typically you will find a Privacy policy is put onto the website (as generally this is where you may have data capture forms).

How?

Have a look at what you have got already in your Privacy Policy and if it needs updating within the section related to Legal Basis for processing (as per the PIA/Data Matrix outputs) as not all may apply.

• Display it in an ‘easy to digest’ format on your website. i.e. section headers with an overview paragraph – they option to expand to see full details.
• Add in a link to this page on your email signatures
• Have a think where else in the business where you might be collecting personal data that you should be providing some level of privacy information i.e. Terms of engagement (use the same headings if possible).

Step 5 – Security Incident Procedure

Why?

This is the document that you need to describe the process for reporting data breaches or security weaknesses, events, and investigation of security incidents.  All staff must be made aware of document and understand the procedure as they have responsibilities to be able to know how to report breaches/ security incidents as they become aware of them.

How?

• Write up your procedure and make it available to staff and ensure they’re aware of their data protection/ information security breach responsibilities as appropriate.

Step 6 – Information Security Breach Checklist

Why?

The checklist is to capture the key elements relating to a data breach to ensure actions are recorded and progressed as appropriate. The root cause can then be understood, and that is any new/changed controls are needed to be made and applied as part of the lessons learnt activities.

How?

• Ensure it’s availability to staff and they understand and are aware of their data protection/ information security breach responsibilities as appropriate.

Step 7 – Subject Access Request (SAR) Procedure

Why?

As stipulated by GDPR any individual that you hold information on has a right to know what data you hold on them eg name, address, etc – this info can be requested by an individual using a  ‘Data Subject Access Request’.

How?

Write up your procedure outlining the steps to be followed by staff upon receiving this request, what information they need to record and how to go about it. This will ensure that your company receives and processes Data Subject Access Requests in accordance with the General Data Protection Regulations.

Step 8 – Subject Access Request (SAR) Log

Why?

There are rules relating to how long you have to respond (within 30 days) to these requests and this log enables you to keep track of any requests in progress, or any historical requests made.  This log is linked to/ referenced within the Subject Access Request procedure.

Step 9 – GDPR Staff Training

Why?

Most data breaches/ Information Security breaches/incidents can be traced back to an individual’s actions or decisions.  Providing awareness training to staff is a form of control that you may need to evidence to the ICO/Client in the event of a data breach.

How?

• Ensure all staff receive this training.
• Retain evidence that this training has been delivered i.e. staff training records

Step 10 – Supplier Data Compliance Questionnaire

Purpose:

This questionnaire is to check that the suppliers that your business shares personal data with are GDPR compliant. It is a requirement for your company to check the security and data protection compliance of any processors/ sub-processors used by the business

How?

• Identify those suppliers/ partners to whom you may supply personal data (Use the Data Matrix/ PIA results as a reference point)
• Send the questionnaire to the companies likely to respond.
• Conduct the required due diligence for larger organisations and retain evidence of findings
• Take action depending on the outcome of the questionnaires/ proactive due diligence.

Next steps………

1. Use your common sense when it comes to protecting your client dataJ
2. Review your client terms of engagement – are you being transparent about the handling and protection of your client data?
3. Complete the Privacy Impact Assessment (PIA)
4. Identify your risks and implement the organisational controls (Policies, procedures and training)
5. Identify the risks and implement the technological controls i.e. data back-up, anti-virus software, restricted access, password management.

What’s the difference between BS 10012 and GDPR?

The General Data Protection Regulations (GDPR) are the requirements for data protection across the EU, laid down in law; therefore, every organisation that controls or processes personal data is legally obliged to comply with the requirements and must be able to demonstrate the application of data protection principles.

BS 10012:2017 is a Standard – a framework –  to assist organisations in meeting the legal obligations laid out in the GDPR Articles and Recitals.  Not only does BS10012:2017 address all the operational requirements of GDPR within Clauses 5 – 8, it also addresses how businesses can ensure they align their data protection responsibilities within the overall strategy of the business through context, leadership and continual improvement.  But more importantly, it ensures ongoing compliance to GDPR.

Can I implement BS 10012 instead of GDPR

Yes. BS 10012 incorporates all the requirements of GDPR, but the key benefit is that it drives ongoing review and improvement of controls implemented to manage these requirements – now and thereafter.

Neither GDPR nor BS10012 alignment happens without input or effort.  Both require action and top level commitment from a business.  There is no ‘off the shelf’ magic answer as every business is different, with its own processes, people, clients and suppliers – all of which generate personal data that needs to be effectively managed within a business.

May 25th 2018 – GDPR becomes law

This is the date the ICO has set for all organisations to align with GDPR.
Are there any legal implications for my business?

GDPR becomes law on May 25th 2018.  Therefore compliance to the requirements becomes a legal implication for your business on this date.

Steve wood, the Information Commissioner’s Office Head of International Strategy & Intelligence has quashed any suggestions of a soft start to GDPR. He stated “You will not hear talk of grace periods from people at the ICO. That’s not part of our regulatory strategy.”  He explained the ICO intend to focus on risk and will be happy to work with organisations if there are any areas that seem unclear but there will be no grace period.
What happens if my company does not comply?

Under the GDPR there are tiers of fines that can be imposed depending on the severity of breach.  The worst case scenario for fines are 4% of global turnover or £20M – whichever is greatest.

Not only are fines imposed, but the ICO  ‘name and shame’ businesses that are in breach.  This is not a new development – this is also the case under the DPA. More information can be found HERE.

Node IT Solutions and Blackmores, specialists in Quality, Risk & Environmental Management, are repeating their sell-out GDPR & Cyber Essentials Business Briefing. Join us on the 22nd May for this FREE Business Briefing, the link to register can be found below.

The General Data Protection Regulations (GDPR) will come in to force on 25th May 2018.

If your business controls or processes any personal information – e.g. employee and/or customer data – you will need to comply. Failure to do so could cost you dearly, resulting in heavy fines and serious damage to the reputation of your business.

Central to GDPR compliance is making sure that the personal data your business deals with is controlled and processed securely. Businesses of all sizes are increasingly under threat from cyber attacks. If you have not put the appropriate technical measures in place to protect personal data, your business will be liable should you suffer a data breach.

Cyber Essentials is the UK Government Cyber Security standard for all businesses and organisations. Meeting the standard demonstrates that your business is taking all reasonable steps to protect the data you hold, and that you take cyber security seriously.

Feedback from the first event was overwhelmingly positive:

“The Business Briefing was informative, clear and easy to follow and has given me some invaluable insight into GDPR and Cyber Security. After attending the meeting I now feel really positive and am looking forward to putting everything I learned into place for my business.”

Agenda:

9:00-9:30 Arrival: tea, coffee & refreshments

9:20-9:30 Introduction

9:30-10:10 Mel Blackmore, Blackmores
GDPR compliance and the steps you need to take now

10:10- 10:20 Break

10:20-11:00 Leigh Wood, Node IT Solutions
Why Cyber Security should be central to your GDPR strategy

11-11:20 Q&A with Mel & Leigh

This event is for you if

• You are a Business Owner/Director who needs to understand how GDPR & Cyber Security impact your business
• You have responsibility for ensuring your business is GDPR-compliant

Join us to find out what your business needs to know about GDPR and Cyber Security and start taking positive steps towards GDPR compliance. Click HERE to register for this FREE business briefing.

 

The Basics of BS 10012

BS 10012 is the British standard for Personal Information Management, and provides a framework for maintaining and improving compliance with data protection requirements and good practice.

It covers topics such as privacy impact assessment, risk assessments, data retention and disposal, privacy by design and employee awareness training; helping you to put policies and procedures in place to effectively manage the personal information of individuals.

Alignment with BS 10012

BS 10012:2017 provides the framework to implement a personal information management system around the principles of Data Protection (GDPR):

• Principle (a) Lawfully, fairly and transparently processed (Clause 8.2.6);
• Principle (b) Obtained only for specific legitimate purposes Clause 8.2.7);
• Principle (c) Adequate, relevant, limited in line with data limitation principles (Clause 8.2.8);
• Principle (d) Accurate and up to date, with every effort to erase or rectify without delay (Clause 8.2.9);
• Principle (e) Stored in a form that permits identification no longer than necessary (Clause 8.2.10);
• Principle (f) Ensure appropriate security, integrity and confidentiality of personal information using technological and organizational measures (Clause 8.2.11).
• General Accountability for the above

I already have an ISO certification, can I integrate BS 10012?

BS 10012:2017 follows the ‘Plan-Do-Check-Act’ continuous improvement model and is aligned to ISO Annex SL, adopted by all key management system standards, enabling organisations to integrate their PIMS with other standards, notably ISO/IEC 27001:2013. It is also a standard which organisations can now certify against.

Who needs to be involved in BS 10012?

Do all my staff need to be involved in BS 10012?

Successful implementation is a team effort.

It starts with the top – Senior Management need to be fully onboard and committed to achieving data protection best practice.  If this is secured, then everything else will flow from there.

In order to effectively identify all the personal data within your organisation you need to involve all areas of the business.

All too often businesses are concerned with just the data they may process for their clients – normally because they’re being questioned about data protection by their clients!

Or on the flip side, businesses are overly concerned with staff or finance data – excluding all the other client-related personal data they may be controlling in the business.

With BS 10012 – all personal data is captured and recorded to ensure that all risks are considered.

Thereafter, all staff require a level of data protection training to ensure that they understand their responsibilities in relation to personal data.  Unfortunately, as has been proven many times before, people will always be the weakest link when it comes to data protection breaches.  Ensuring all staff are trained is fundamentally one of the most important steps to take in implementing BS 10012:2017

This extends out to key suppliers or partners depending on whether personal data is shared/ transferred outside of the business.

Can I implement BS 10012 instead of GDPR

Yes. BS 10012 incorporates all the requirements of GDPR, but the key benefit is that it drives ongoing review and improvement of controls implemented to manage these requirements – now and thereafter.

Neither GDPR or BS 10012 alignment happens without input or effort.  Both require action and top level commitment from a business.  There is no ‘off the shelf’ magic answer as every business is different, with its own processes, people, clients and suppliers – all of which generate personal data that needs to be effectively managed within a business.

How much work is involved in implementing BS10012

Neither GDPR or BS 10012 alignment happens without input or effort.  Both require action and top level commitment from a business.  There is no ‘off the shelf’ magic answer as every business is different, with its own processes, people, clients and suppliers – all of which generate personal data that needs to be effectively managed within a business.

Gone are the days when a simple communicated Data Protection policy and registration with the Information Commissioner would suffice for Data Protection compliance.   One of the biggest changes is the ‘accountability’ principle underpinning the six other principles.   You now need to be able to prove you have applied all the principles within your business.

Over and above just the basic principles, you should be striving to:

• Demonstrate that you understand what personal data you control or process,
• Identify the legal basis for processing
• Demonstrate the steps you have taken to understand and control/mitigate risk
• Communicate requirements to interested parties
• ‘Bake in’ Data Protection within your organisation (including required processes and review of planned/unplanned changes)
• Review performance and strive for continual improvement.

When you consider the potential consequences of getting any of this wrong – 4% of global annual revenue or €20M whichever is greater – why wouldn’t you take the best practice approach and implement BS 10012?

What is data subject consent?

This is clearly defined by GDPR, what the data subjects wishes are in processing their data.

What is a freedom of information request?

Under the GDPR, individuals will have the right to obtain:

• confirmation that their data is being processed;
• access to their personal data; and
• other supplementary information – this largely corresponds to the information that should be provided in a privacy notice

You must provide a copy of the information free of charge.  However, you can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.

You may also charge a reasonable fee to comply with requests for further copies of the same information. This does not mean that you can charge for all subsequent access requests.

In order to provide the information you must verify the identity of the person making the request, using “reasonable means”. If the request is made electronically, you should provide the information in a commonly used electronic format.

Can I implement BS 10012 instead of GDPR

Yes. BS 10012 incorporates all the requirements of GDPR, but the key benefit is that it drives ongoing review and improvement of controls implemented to manage these requirements – now and thereafter.
Neither GDPR or B S10012 alignment happens without input or effort. Both require action and top level commitment from a business. There is no ‘off the shelf’ magic answer as every business is different, with its own processes, people, clients and suppliers – all of which generate personal data that needs to be effectively managed within a business.

How will BS 10012 add value to my business?

By implementing and certifying your business against BS 10012:2017, you will be able to demonstrate some clear advantages over your competitors:

• Commitment to protecting client and stakeholder personal data – independently assessed by a 3^rd party certification body
• Identify risks to personal information and implement controls to mitigate them – reducing risk for both your organisation, and any clients whose personal data you may process
• Utilise a management system to actively demonstrate compliance with both the GDPR and the revised UK Data Protection Act
• Continually improve your management of personal data against recognised best practice and improved controls
• Proactively protect your reputation – both in the market and to your interested parties
• Achieve competitive advantage when tendering for new business

Running a successful business is all about reducing risk wherever possible (BS 10012 is a risk-based standard) and seeking opportunities to improve on the competition (BS 10012 certification sets you apart from mere internal GDPR ‘compliance statements’).

You can confidently state that you have credible 3^rd party assurance that you are meeting your data protection obligations under GDPR – through certification to BS 10012 with a recognised certification body such as ISOQAR, BSI, LRQA, SGS etc.

Will ISO 27001 make me GDPR compliant?

ISO27001 v BS 10012

On its own No – this is a myth.

Information security is just one of Six principles of BS10012 and GDPR

 “f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”

Whilst a very important principle, if you rely on just having ISO 27001 for GDPR compliance you run the risk of not being in full alignment with all the principles (and related articles and recitals).

 

Who needs to be involved in BS 10012?

Do all my staff need to be involved in BS 10012

Successful implementation is a team effort.

It starts with the top – Senior Management need to be fully onboard and committed to achieving data protection best practice.  If this is secured, then everything else will flow from there.

In order to effectively identify all the personal data within your organisation you need to involve all areas of the business.

All too often businesses are concerned with just the data they may process for their clients – normally because they’re being questioned about data protection by their clients!

Or on the flip side, businesses are overly concerned with staff or finance data – excluding all the other client related personal data they may be controlling in the business.

With BS10012 – all personal data is captured and recorded to ensure that all risks are considered.

Thereafter, all staff require a level of data protection training to ensure that they understand their responsibilities in relation to personal data.  Unfortunately, as has been proven many times before, people will always be the weakest link when it comes to data protection breaches.  Ensuring all staff are trained is fundamentally one of the most important steps to take in implementing BS10012:2017

This extends out to key suppliers or partners depending on whether personal data is shared/ transferred outside of the business.

Are you ready for GDPR? Is your business data secure from cyber threats?

The General Data Protection Regulations (GDPR) will come in to force on 25th May 2018. If your business controls or processes any personal information – e.g. employee and/or customer data – you will need to comply. Failure to do so could cost you dearly, resulting in heavy fines and serious damage to the reputation of your business.

Central to GDPR compliance is making sure that the personal data your business deals with is controlled and processed securely. Businesses of all sizes are increasingly under threat from cyber attacks. If you have not put the appropriate technical measures in place to protect personal data, your business will be liable should you suffer a data breach.

Cyber Essentials is the UK Government Cyber Security standard for all businesses and organisations. Meeting the standard demonstrates that your business is taking all reasonable steps to protect the data you hold, and that you take cyber security seriously.

Node IT Solutions are holding this business briefing on GDPR and Cyber Essentials in partnership with Blackmores, specialists in Quality, Risk & Environmental Management. Mel Blackmore will be talking about GDPR and how businesses can prepare. Leigh Wood from Node IT will be taking you through the government Cyber Essentials standards and what businesses need do to qualify and pass the assessment.

9:00-9:30 Arrival: tea, coffee & refreshments

9:20-9:30 Introduction

9:30-10:10 Mel Blackmore, Blackmores
GDPR compliance and the steps you need to take now

10:10- 10:20 Break

10:20-11:00 Leigh Wood, Node IT Solutions
Why Cyber Security should be central to your GDPR strategy

11-11:20 Q&A with Mel & Leigh

Join us to find out what your business needs to know about GDPR and Cyber Security and start taking positive steps towards GDPR compliance. Click here to register for the event. 

 

How to go about implementing BS 10012

The first step to Implementing BS 10012 would be to carry out a Gap Analysis to identify where the gaps are in your Personal Information Management. Evaluate the results and formulate a plan to put the correct policies and procedures in place to be compliant. This evaluation will also highlight any potential existing risks with your personal information management, which can then be addressed as you create your management system.

Unless you are familiar with BS 10012 requirements, we suggest seeking out guidance or support with the process of establishing a management system. Blackmores also offer assistance with BS 10012, so feel free to contact us for more information.

Do I have to delete all historical data?

No – If there is a legal basis to retain and use this data, then the GDPR should not prevent you from using this, or require you to delete this data. However, under GDPR you are required to identify the legal basis in line with the overarching principles.

You should review your data retention policies and ensure that you are not keeping historical data unnecessarily.

What if I want to keep personal data I have previously collected?

The requirement to keep data retention to a minimum is not a new concept. The DPA has always mandated that only necessary data should be collected and only used for as long as required. The same principle applies with the GDPR.

If there is a legal basis to retain and use this data, then the GDPR should not prevent you from using this. However, under GDPR you are required to identify the legal basis in line with the overarching principles.

ONI successfully recommended for BS 10012 certification

Leading the way in GDPR compliance, Blackmores are delighted to announce that ONI Plc have been recommended for certification to the updated British Standard for Personal Information BS 10012:2017 with Certification body Alcumus ISOQAR.

The standard was updated in 2017 to provide a framework to support organisations to align their Personal Data Protection Policies and procedures with the GDPR requirements coming into force on the 25th May 2018.

Supporting ONI Plc to integrate their robust information security (ISO 27001) controls with BS 10012 to demonstrate commitment to GDPR, we are delighted that ONI Plc are the first to be recommended for certification.

Aligning with GDPR assures your clients that you understand data protection & have the controls to keep their information safe. GDPR takes into consideration the rights of the data subjects, security threats and new technology.

What difference will it make to the customers?

Ultimately, the customers will be assured that you are aligning to the GDPR Data Protection Principles, that you understand data protection risks relative to your activities and are applying proportionate controls to ensure that you keep their personal data protected within your business.

Data Protection is not a new concept, however the changes with GDPR have recognised the rights of data subjects, recognized information security threats and the fact that new technologies have expanded the availability of personal data.

What is BS 10012?

Any organisation that processes personal information should ensure that it protects the privacy of the people it affects.

BS 10012 provides a framework for maintaining and improving compliance with data protection requirements and good practice.

This webinar washeld on the 16th March at 12pm-12:45pm. This webinar will covers the following:-

• What is BS10012:2017?
• What’s the difference between BS10012 and GDPR?
• How will BS10012 add value to my business?
• What is the best approach to implementing BS10012?
• Who needs to be involved?
• Is BS10012 certification recognised?
• How Blackmores can help you to achieve BS10012 certification

Is there a difference between GDPR and the Data Protection Act (DPA) – In short yes, there are a number differences you must align to.

How is GDPR different from the Data Protection Act?

The overall principles of data protection have not changed greatly, however there are a number of differences to include the following:

• You can no longer charge for ‘subject access requests’ and they have to be provided within 30 days
• There is now a mandatory requirement to appoint a Data Protection Officer (DPO) depending on complexity/sensitivity of personal data activities
• The definition of ‘Personal Data’ has been expanded to include online identifiers, location data, and genetic data
• Notification of breaches is now mandatory (and within a 72 hour timeframe) for breaches that adversely impact a data subject
• The regulations now have responsibilities for both data controllers and data processors
• There is now a right to claim compensation for ‘non material damage’ i.e. where there has been no financial loss
• Parental consent is now required for individuals under 16
• Data consent now has to be ‘clear, affirmative action with the ability to be withdrawn at a later date’
• The maximum penalties for breaches has risen to 4% of global turnover or £20M (whichever is greatest)

If you share customer data, ensure that you comply with the data protection principles. There are 7 data protection principles that ensure confidentiality, integrity and security of data.

We don’t share the customer data we collect?

Regardless of if you share the customer data you collect, the GDPR still applies. There are several Data Protection principles that need to be upheld, to include ensuring confidentiality, integrity and security of data.

The principles are defined below:

Principle (a) Lawfully, fairly and transparently processed;
Principle (b) Obtained only for specific legitimate purposes;
Principle (c) Adequate, relevant, limited in line with data limitation principles;
Principle (d) Accurate and up to date, with every effort to erase or rectify without delay;
Principle (e) Stored in a form that permits identification no longer than necessary;
Principle (f) Ensure appropriate security, integrity and confidentiality of personal information using technological and organizational measures; and
General Accountability for the above

There are numerous legislative Acts and Regulations that mandate statutory retention periods for documents such as financial records or HR or Health and Safety records.  In addition to these, business should be stipulating their own retention periods for the data and records they keep (to include those that contain personal data).

 

There is no single answer to this question, but it is an area that needs to be addressed by businesses as part of adhering to the principle “Stored in a form that permits identification no longer than necessary”

Once defined, the retention policies need to be adhered to!

What rights do customers and staff have?

All data subjects have ‘rights’ under GDPR, to include staff and clients.  The GDPR provides the following rights for individuals:

• The right to be informed.
• The right of access.
• The right to rectification.
• The right to erasure.
• The right to restrict processing.
• The right to data portability.
• The right to object.
• Rights in relation to automated decision making and profiling

Data subject consent?

This is clearly defined by GDPR, what the data subjects wishes are in processing their data.

What is a freedom of information request?

Under the GDPR, individuals will have the right to obtain:

• confirmation that their data is being processed;
• access to their personal data; and
• other supplementary information – this largely corresponds to the information that should be provided in a privacy notice

You must provide a copy of the information free of charge.  However, you can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.

You may also charge a reasonable fee to comply with requests for further copies of the same information. This does not mean that you can charge for all subsequent access requests.

In order to provide the information you must verify the identity of the person making the request, using “reasonable means”. If the request is made electronically, you should provide the information in a commonly used electronic format.

 

Reviewing your procedures – as your business will constantly evolve your GDPR procedure should align with the growth.

How regularly do I need to review my procedures?
Business are constantly evolving – through the development of new services, the use of new technology and growth within their industry. This means that controls implemented for GDPR (both logical and physical) may no longer be sufficient or relevant in 1 – 2 years time.

As with any other applicable legislation or risk based activity, it is best practice to perform a ‘health check’ every year to ensure that you remain in alignment with the requirements of GDPR. This should include a review of awareness within your organisation

GDPR becomes law on May 25th 2018.  Therefore compliance to the requirements becomes a legal implication for your business on this date.

Steve wood, the Information Commissioner’s Office Head of International Strategy & Intelligence has quashed any suggestions of a soft start to GDPR. He stated “You will not hear talk of grace periods from people at the ICO. That’s not part of our regulatory strategy.”  He explained the ICO intend to focus on risk and will be happy to work with organisations if there are any areas that seem unclear but there will be no grace period.

My customers are not in the UK, does GDPR still apply?

Even if your customers are not in the UK, it is likely that you still employ staff, and hold HR information on these staff in the UK.  Therefore the requirements of GDPR will still apply to you.

What difference will it make to the customers?

Ultimately, the customers will be assured that you are aligning to the GDPR Data Protection Principles, that you understand data protection risks relative to your activities and are applying proportionate controls to ensure that you keep their personal data protected within your business.

Data Protection is not a new concept, however the changes with GDPR have recognised the rights of data subjects, recognised information security threats and the fact that new technologies have expanded the availability of personal data.