Today 25th May 2018 sees the EU General Data Protection Regulations (GDPR) come into effect replacing the Data Protection Act 1998 (DPA). The General Data Protection Regulation (GDPR) was developed by the European Union over a four–year period to serve as a legislative solution to issues regarding data protection in the present day.
Currently, laws regarding data protection in the United Kingdom are based on the Data Protection Act of 1998 — an update of the 1995 EU Data Protection Directive — which itself was designed to handle security issues as understood by lawmakers and programming experts in the years leading up to the millennium.
The GDPR will update the law to take into account significant advances in technology as well as fundamental changes to the way in which individuals and organisations communicate, use and share information; and it will also remove inconsistencies in data protection globally. In today's ever–evolving digital environment, the protection of personal data has become more critical than ever.
As data breaches occur with greater frequency, the cyber–security standards that were put into law 20 years ago are no longer enough to protect the information of businesses and customers that interact online. The larger the database, the graver the consequences of a breach for parties at both ends.
The GDPR is intended to solve security issues that have emerged over the past two decades since the development of cloud technology and its impact on data security.
What are the main principles of GDPR?
Article 5 of the GDPR requires that personal data shall be:
- Processed lawfully, fairly and in a transparent manner
- Collected for specified, explicit and legitimate purposes
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
- Accurate and, where necessary, kept up to date
- Kept for no longer than is necessary
- Processed in a manner that ensures appropriate security of the personal data.
Why you should pay attention to GDPR?
The current DPA has a maximum fine of £500,000. GDPR has fines of up to £20 million or 4% of total worldwide annual turnover, whichever is higher for breaches of the data protection principles, conditions for consent or data subject access.
The GDPR requires businesses to completely transform the way personal data is currently managed. They will need to be more accountable for the personal data they process and develop an ongoing programme of compliance and monitoring that is embedded within and across their activities.
What can you do?
Organizations around the world that have studied the GDPR are likely aware that the regulations are an encouragement to adopt best–practice schemes.
ISO 27001 is an information security standard that helps companies come into compliance with international best–practice models. The standard covers three key components of data security — people, processes and technology. When steps are taken to safeguard data with these three components in mind, businesses are better equipped to protect information, mitigate risks and rectify procedures that are deemed ineffective. As such, a growing consensus has emerged in the corporate sector that deems ISO 27001 to be the gold standard in best–practice schemes.
By putting the ISO 27001 standard into effect, an organization activates an information security management system (ISMS) that works within the business culture of the company in question. The standard is regularly updated and enhanced, and these ongoing improvements allow the ISMS to stay abreast of changes both within and outside of the company, all the while spotting and eliminating new risks.