News

17
Aug

The issue of data protection is one that no business can afford to ignore and upcoming changes in the law are going to make this even more critical. Last week the Government announced new plans to allow individuals to gain more control over what happens to their personal information, which will transform the way businesses need to operate in this area.

New Proposals

The new bill has been put forward by Digital Minister Matt Hancock and transfers the European General Data Protection Regulation (GDPR) into UK law.

The proposals in the bill include:

  • Making it simpler for people to withdraw consent for their personal data to be used
  • Letting people ask for data to be deleted
  • Requiring firms to obtain "explicit" consent when they process sensitive personal data
  • Expanding personal data to include IP addresses, DNA and small text files known as cookies
  • Letting people get hold of the information organisations hold on them much more freely
  • Making re-identifying people from anonymised or pseudonymised data a criminal offence

The implications of failing foul of data protection laws can be very serious indeed, with GDPR bringing a maximum fine of £17m or 4% of global turnover for a serious data breach and fines of up to £500,000 for breaking data protection laws.

GDPR

These proposals remain just that so far, but businesses do need to be prepared for the coming of GDPR on 25th May 2018. The UK’s eventual departure from the EU is no excuse for not being compliant with the regulations, particularly with the proposals mentioned above making it clear that data protection in the UK will likely run mostly parallel with legislation in the EU, even after Brexit.

So if your business has not yet started making plans for getting your data in line ready for next May, you need to make a start on it sooner rather than later. The key points in GDPR are as follows:

  • Businesses must have a Data Protection Officer with the responsibility for ensuring compliance
  • Businesses must comply with the new laws regarding data theft or loss of personal data, reporting any such breach to ICO within 72 hours
  • Businesses must have clear explicit consent before using personal data. This includes data collected before GDPR is enforced, meaning old data must also meet the new standards.

How Can You Prepare For The New Data Protection Rules?

One key step you can take to get your business ready for GDPR and the UK legislation that will follow it is to gain the Cyber Essentials scheme. Backed by the UK Government and developed in consultation with industry, Cyber Essentials is aimed at improving cyber security within public supply chains and ensuring that businesses do not fall foul of potentially costly data protection breaches.

It’s a requirement for suppliers involved in handling personal data through the provision of certain technical products and services and is good practice for any business because of the basic information security hygiene measures it teaches.

There are two levels of assessment and certification, Cyber Essentials and Cyber Essentials Plus to suit your requirements. You can find out more about Cyber Essentials and how Centre For Assessment can help you prepare for the coming changes in data protection requirements here.