Enforcement date: 25th May 2018 The General Data Protection Regulation, which comes into affect on 25th May 2018 in the UK is to replace the dated Data Protection Act 1998 at which time those organisations in non-compliance will face heavy fines. So as IT companies around the UK try to decipher the code of ethics to follow to comply to GDPR, MAPTEC IT looks at the possible side effects. Unfortunately, there isn't a lot of precise information out there to help frantic project managers trying to implement good practice policies in time for the 25th. We have been working closely with our partner's Acronis, Microsoft, BitDefender, netthreat, KnowBe4 and Datto and been doing our own research on the subject. From our understanding so far there is a lot of key areas that need more clarification and perhaps documentation to be compiled with regards to how companies need to store personal data. In light of the Ransomware attacks your IT departments or outsource IT department cannot get away with just saying we can restore IT Systems within a week or over 72 hours. You cannot say you have antivirus and firewalls on your servers and computers and expect that to be sufficient. You will need products which have proactive elements built-in, and paid products for online protection in our experience will always be better. Restoring data must take under 72 hours and there will need to be regular backup drills to make sure the data can be restore. How data is protected and not store on a front-end website which could be potentially hacked.
Some of these steps you can take are to make a list of all your data structure online and offsite is it secure and backup in the right manner, e.g. offsite backup which is encrypted and set with a strong password. Regular checks are made i.e. recovery test to make sure data can be retrieved from backup.
Also, another example is your email system, is your provider protecting your data? Do they have scheduled backups and recovery tests? If your answers are no or unsure.
Please contact MapTec IT for more information.
About the GDPR On the 25th May 2018, the biggest shakeup to the UK’s Data Protection Laws took place. This shake up came in the form of implementing two new sets of legislation.
The Data Protection Act 2018 and
The General Data Protection Regulations (GDPR) 2018
The GDPR and the Data Protection Act 2018 replaced the existing Data Protection Act published in 1997 and introduced new aspects of data security and privacy for data subjects.
GDPR Principles The GDPR is broken down into 7 principles
Lawfulness, fairness and transparency Data processors must process your personal data in a way that is fair, transparent and keeping within the restrictions of the law
Purpose Limitation Data processors must only process your personal data for the purpose for which it was collected
Data Minimisation Data processors must collect data that is necessary for the purpose in which it was collected. Information must be relevant
Accuracy Data processors must ensure that all the personal information held regarding data subjects is current and kept up-to-date.
Storage Limitation Data processors must not keep your data for longer than necessary
Integrity and Confidentiality (Security) Data processors must ensure that necessary security measures are put in place to ensure that your data is kept safe and protected.
Accountability Data processors must take responsibility for your data whilst it is under their care. This includes the transfer of data between parties.
Data Subject Rights The GDPR also introduces additional rights for data subjects. It introduces the following rights: The right to be kept informed Data subjects have the right to know how their personal data is processed, how long it will be retained for who the data will be shared with. The right to access data relating to the data subject Data subjects have the right to access any personal information held about them. The right to rectify invalid data held by an organisation Data subjects have the right to rectify any invalid personal data in a timely manner. The right to be forgotten or to request erasure Data subjects have the right to request that their personal data be erased once the original purpose has been fulfilled. The right to restrict the processing of your personal data Data subject have the right to restrict or limit the extent in which data is processed. This is subject to certain requirements being met. The right to data portability Data subjects have the right to request a copy of their personal information in a structured, commonly used, machine readable format for use at other locations. The right to object to further data processing Data subjects have the right to object to further processing of personal information for certain things, such as direct marketing.
What is classed as personal information Personal data includes everything ranging from basic contact details such as your name, telephone number, email address and home address, right through to more complex and sensitive information such as retinal scans and fingerprints. The following data is classed as sensitive and identifiable: Name Addresses Email Addresses Telephone Numbers Identification Numbers (NHS Patient Numbers, National Insurance Numbers etc.) Location Data Online Identifiers such as IP Addresses Bio-metric Data Healthcare Data Racial or Ethnic Data Political Opinions Religious or Philosophical Beliefs Trade Union Memberships Sex life or Sexual Orientation