27 June 2019
It’s been over 12 months since the General Data Protection Regulation (GDPR) was introduced, with the aim to unify how data is processed, used, stored and exchanged across all EU countries. But since the rollout, how has the legislative change affected the way businesses handle personal data? And just how many companies are still lagging behind in terms of GDPR-compliant data handling and processing?
According to recent reports, the race to get GDPR compliant hasn’t gone smoothly, with over two-thirds of businesses admitting that more work is needed to achieve full compliance, and a further half anticipating fines for breaching legislation. Indeed, one in five organisations have said that they believe full GDPR compliance is impossible to measure – raising concerns about the amount of work still needed to ensure watertight compliance across all EU member states and their individual industry sectors.
This guide will explore the core tenets of GDPR and how they apply to IT processes, giving IT professionals a blanket overview of the steps they should take to help their organisations achieve full compliance – including a helpful GDPR checklist that can roadmap the process.
Many companies failed to prepare adequately for the rollout of GDPR because they weren’t sure if the new legislation applied to their type or size of business. GDPR applies to all organisations registered in the EU, regardless of their size or the number of employees, and it also covers businesses outside the block which sell goods or services within EU countries, or else process data from EU residents.
This is the GDPR compliance criteria:
In other words, if your company is registered in the EU or handles data from EU citizens, it must comply with GDPR. This will be the case even after Brexit, because most businesses will still handle and process personal data from people living in EU nations.
When it comes to GDPR, there are three main stakeholders named as part of the legislation: data controllers, data processors and data subjects. We’ve gone into more detail about these groups below:
IT professionals may be called upon to process personal data for a data controller, or else support GDPR compliance by performing audit work and carrying out security actions which help an organisation achieve full compliance. It is the data controller that must exercise control over the processing and carry data protection responsibility for it.
Over the last 12 months, more has become known about the types of actions which organisations must implement to ensure full GDPR compliance, including basic security changes and how personal data is protected. Examples of these requirements include:
If a business is investigated for GDPR compliance, they will need to show evidence that they have implemented appropriate strategies to protect data and enhance security – like the processes listed above. This can require additional resources and significant investment, with the average Fortune 500 company budgeting for around £12 million a year to maintain full GDPR compliance.
In terms of the type of data deemed ‘personal’ under the new GDPR legislation, the criteria sets out six points which data controllers and processors need to know:
As a means of strategizing your approach to GDPR from an IT perspective, it’s important to understand the rights of data subjects whose personal information you will be responsible for protecting and securing. Knowing the rights of data subjects under GDPR legislation will help your organisation to maintain compliance across all its day-to-day operations and data-handling processes.
Here are the entitled rights of data subjects you need to know:
Big or small, businesses need to invest time and resources into becoming fully GDPR compliant, or suffer the consequences of hefty monetary penalties and a poor public reputation for privacy and data management.
As an IT professional, you can bolster your organisation’s GDPR efforts by creating considered processes which help to uphold data subjects’ privacy rights. Consider the following when setting out your proposals for GDPR-compliant IT data processing:
We hope this comprehensive GDPR guide proves useful in helping your business achieve full compliance. As GDPR legislation continues to bed in, it’s crucial that businesses of all sizes take steps to achieve compliance, before penalties become more commonplace.
For more IT guides and features, click here to visit the CDL blog and newsfeed. If you’re here to find out about our computer and IT disposal services, visit the homepage or call us today on 0333 060 2260.