Blog

GDPR Q&A for UK businesses

Still need to wrap your head around GDPR? Here are some common questions and answers to help your business prepare for the impending regulations.

So, what is GDPR?

General Data Protection Regulation (GDPR) is the harmonisation of data protection legislation across the EU. GDPR will impose a set of new data protection requirements on organisations, replacing the Data Protection Act 1998 (DPA).

GDPR will come into force on 25 May 2018.

GDPR:

  • introduces heavier fines for non-compliance and breaches
  • gives individuals more control over what companies can do with their personal data
  • makes data protection regulations more or less identical throughout the EU

Does GDPR apply to your business?

Any organisation processing and/or storing personal data of EU citizens will need to be compliant with the requirements of the GDPR by May 2018.  

How does Brexit Affect GDPR?

Despite Brexit, GDPR will still apply in the UK.  The ICO (Information Commissioner’s Office) has confirmed that GDPR will be assumed into UK law before the exit to ensure there is certainty about UK law afterwards.

What are the Rights of Individuals under GDPR?

The GDPR creates some new rights for individuals and strengthens some of the rights that currently exist under the DPA.  The GDPR provides the following rights to individuals:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling

What is Privacy by Design?

GDPR now mandates that privacy by design and privacy by default to promote compliance with data protection laws and regulations from the earliest stages of initiatives involving personal data.  Privacy by design is a multi-layered concept, involving various technological and organisational components, which implement privacy and data protection principles in systems and services.

How long can we keep Personal Data?

The GDPR is non-prescriptive and therefore requires that personal data shall be kept for no longer than is necessary “for the purpose for which the personal data is processed”. Organisations will need to identify what personal data they process and the purpose for so doing to determine appropriate retention periods for each personal data type.

GDPR and Data Breaches

Under the GDPR, organisations are required to notify their supervisory authorities (ICO for the UK) within 72 hours from when the breach is first identified. A breach must be reported where there are any risks to the rights and freedoms of the data subjects.

What about Third Party Responsibilities?

Any personal data crossing your network (where you are the controller or processor) from third parties will need to be processed in accordance with the GDPR.  You have to secure the data and generally ensure that contractual terms between you and the third party are in accordance with the GDPR.

What next?

Conosco’s consultancy and technology services can help you navigate the process of becoming GDPR-compliant by May 2018.

We offer a comprehensive GDPR service, consisting of:

Introduction to the GDPR

  • Security-focused discussions with key stakeholders
  • Tailored education on GDPR impact and applicability  
  • Q&A
  • High-level summary report

Full GDPR compliance report 

  • Detailed Q&A with key stakeholders
  • Formalised requirements capture
  • Contextualised understanding of the client’s business and data.
  • Delivery of document template pack
  • Data flow map for a key business area/process.
  • Gap analysis
  • Documented report identifying GDPR requirements and remediation stepsNote: Remediation subject to requirement and quoted separately post report

Contact us today to schedule a free introductory consultation.