The General Data Protection Regulation (GDPR) represents the most important data protection regulation change in 20 years.
General Data Protection Regulations
The GDPR or General Data Protection Regulations came into force in May 2018 and sets guidelines for the gathering, storage and use of personal data by businesses and public bodies. The knee jerk reaction of most businesses dealing with personal data has been to purge their marketing databases and any records of personal data out of fear of prosecution.
Texaport work with clients around GDPR compliance, liaising with legal advisors to provide the most accurate guidance. While the GDPR implements a new set of regulations it mostly builds on the Data Protection Act of 1998 which businesses already had to comply with and provided they were working on this or working within the scope of this Act has not required a great deal of change.
For businesses unfamiliar with Data Protection or bewildered by the volume of information concerning GDPR, Texaport offers a wide range of support.
Our standard process around Cyber Security is a 5 step process preceded by an informal chat with our Data Protection guru.
Some key questions which we encounter regularly about GDPR and Personal Data.
What is GDPR?
The GDPR is a new European Law and set of rules which are intended to give individuals more control over their personally identifiable information. This includes your name, address, credit card number, date of birth, religion and more. Any company who stores and/or uses this information for marketing, payroll or any other purpose has to comply with these rules.
What Constitutes Personal Data?
PII or Personally Identifiable Information is defined in the GDPR as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
What Is the Penalty for Non-Compliance?
The maximum fine is €20 million or 4% of “worldwide turnover”, whichever is greater.
The scale of the fine depends on the extent and impact of the error or breach.
Is My Business Compliant?
Unless you have taken on specialist help in data protection there is a good chance that you will not be compliant with the GDPR.
Where Is My Data Stored?
This is an important question you will be entitled to have an answer to from all of your suppliers. These storage locations will be subject to the same regulations as the companies who have requested or use your information.
Do I Need to Buy New Hardware?
The main implications of GDPR are policy, process and software based. Hardware will factor into this when newer, more secure, software has been released which the hardware cannot run. If that software patches vulnerabilities to your secure system or prevents the compromise of personal data your hardware could cost €20 million.
Texaport work with clients to complete detailed “Data Scoping” documents which help to identify, locate and “map out” Personally Identifiable Information throughout the organisation. This data can take many forms and be scattered throughout the organisation so will involve a cross-department approach to complete.
Once data has been scoped throughout the organisation Texaport can work with clients to ensure compliance with the regulations.
Much like a financial audit where an auditor would investigate the accounts, inventory and processes of an organisation to ensure compliance and correctness, a Texaport audit will look into the Technical capacity of the organisation in relation to GDPR.
Texaport follows a loose process which allows for flexibility of the investigation for clients working from the “outside” going “in” to the organisation.
Texaport ensure clients receive the information they require as effectively as possible. During a project or support enquiry, information will be provided as it becomes available in small chunks. However, for larger projects and implementations such as during GDPR compliance, Texaport condense the information into reports for clients to consolidate and clarify the information in a convenient digest following the scoping and audit phases.
Implementations in relation to Cyber Security will normally follow the report phase, where the client will decide on the course of action and security posture to be achieved. Outside of this process, Texaport can implement Cyber Security changes for clients as a stand alone project or as an element of our “Holistic Security” package.
The implementation phase is the core of compliance as any non-conformances discovered during the audit phase will have recommended actions to rectify.
Texaport completes GDPR Compliance projects by comparing the implemented actions with the report recommendations and audit findings.
The review process is similar to the previous audit process, but is achieved much quicker as it is for verification and “error checking” to ensure that required actions have been carried out and that the client’s security posture has been improved.
Where clients are re-certifying against previously attained compliance which was supported by Texaport, commonly the review phase forms the “scoping” element of the subsequent project.