GDPR (General Data Protection Regulation) is the replacement for the Data Protection Act (DPA) which was enforced in 1998. The previous regulation was left unchanged for some years and consequently was very out of date. Most technologies we use today such as Cloud were simply not invented.
The changes are vast and when they come into force in May 2018 the EU will probably have the most severe data laws in the world. The main focus of GDPR is to protect personal data. This means that businesses will no longer be able to profit from personal data without your clear permission.
The first thing a business needs to do, is to understand all of the data held and the risk that it may expose them to. To do this, you need to create a data map, which details the following:
The retention period and other legal details of the data must be established. This can be a huge undertaking, but it is essential as without knowing the state of the data held a business can’t protect against breaching the rules of GDPR.
It is necessary to establish if a business would fall into the high risk category based on the type of data they hold and the amount of data they process. High risk includes, but is not limited to:
If after assessment the business is high risk, then it needs to perform a Privacy Impact Assessment (PIA) to ensure that any personal data is well categorised, secure, easily retrievable, editable (ideally self service), transportable and has the ability to be permanently deleted if required.
Priority One can assist with the following stages of getting your business ready for GDPR: