<img height="1" width="1" src="https://www.facebook.com/tr?id=1046809342117480&amp;ev=PageView &amp;noscript=1">

VSEC Blog: IT Security Channel News brought to you by Infinigate UK

Share the Infinigate UK Blog on LinkedIn Share the Infinigate UK Blog on Twitter Share the Infinigate UK Blog on Facebook Share the Infinigate UK Blog on Google+ Share the Infinigate UK Blog via Email

The GDPR Has Been Invited to Dinner and it's Hungry for First Victims

Topics: Data Protection, GDPR, DPA

Posted: 10 October 2016


Whether you were aware or not, the UK Data Protection Act has been protecting your digital identity and personal data since 1998 – a relative dinosaur in the fast-changing world of IT. However, as of April 2016, this piece of legislation has been given a two year expiration date. This is due to the emergence of its larger and scarier European cousin: the GDPR (General Data Protection Regulation).

It’s unlikely that you have not heard at least some grumblings on this subject in the past few years, but what exactly is the GDPR? And what does it mean for you and your organisation?

The GDPR started as a twinkle in the eye of the European Commission in January 2012 and has since been passed back and forth between the Commission, the Council and European Parliament for two years before finally becoming a directive in 2016. As a directive, the GDPR does not come into immediate effect; rather, it is up to the individual 28 member states to create local legislation with the same intended outcomes within two years. With the final implementation date scheduled as April 2018, the opportunity to measure its potential impact on organisations is limited.

Standing at 261 pages and with a rhetoric akin to a list of terms and conditions, the GDPR can hardly be described as a gripping read but contained within its convoluted language are just a handful of key fundamentals.

PII 2.0

The scope of personal information is much larger in the GDPR. Specifically, PII (Personal Identifiable Information) is no longer bound by attributes which only directly identify a person such as name and address. Instead there are a number of indirect attributes such as genetic, psychological, economic, cultural and social identity which in combination are now considered scope.

You can run but you can’t hide

Regardless of geographical location, organisations which sell products and services to the EU or hold EU citizen’s personal information are liable to the punishments set out in the GDPR for a breach or loss.

To tick the box or not

Clear consent to the processing of a person’s private data is provisioned in the GDPR, with clear being the operative word. In particular, inactivity can no longer be used as a method of consent. Those pesky tick boxes at the bottom of electronic forms must now be only for opting in and cannot be ticked by default.

Recruiters at the ready

All public authorities and those organisations which systematically monitor and process personal data on a large scale are now expected to appoint a DPO (Data Protection Officer). This new role will be expected to be an expert in data protection law and will, among other changes, assist with impact assessments, monitor the accessibility of personal data and supervise any changes to the processing of personal data.

Step one, report it

Remember when there was no obligation to report personal data loss? That will be no more. The GDPR specifies that unless the existence of exceptional circumstances, any data loss or breach must be reported to the data protection authority within 72 hours of the organisation becoming aware of it.

Ah forget about it

Social networks beware as one of the key changes is an individual’s right to be forgotten. Should a data subject want their data erased or should they withdraw their consent for it to be processed any longer, then the subject organisation must comply.

A pretty penny

Probably the part of the GDPR which has caused the most fanfare since its inception is the punishments that will be levied for the intentional or negligent loss of data. In the worst of cases, these are defined as being the largest of €20,000,000 or 4% of global annual turnover for the preceding financial article.

This is of course a simplified list of which can be greatly expanded, although it does highlight the impact of this directive. To consider the GDPR as an upgraded version of the data protection act is like comparing a horse and a Ferrari: both methods of transport yet incomparable due to the enormous gulf between them. The GDPR is however much more than that to both individual and organisation and is set to fundamentally alter the way we think about and interact with personal data.

The relational link between European bureaucracy and the sands of time has meant that the dismissive buried-head-in-sand approach has proven to be sufficient up to now. However, with April 2018 on the horizon, the race to alignment commences...and there are no exceptions for those who do not comply in time.

GDPR Data Protection Legitimate Interests and planning your Strategy

Infinigate UK
Posted by: Infinigate UK
Share via:

Subscribe to VSEC Blog Updates

Terms and Conditions:
  • When completing this form, you are indicating your consent for this processing activity. By doing this you are providing Infinigate UK with lawful consent to process your submitted personal data for one or both of the marketing purposes below:
    • We will use your details to send you blog updates.
    • We will match your answers to areas of interest which believe you have and may send you additional marketing materials related to those areas.
  • We will keep your personal data for nine months, upon which we will delete your personal data unless you have consented to further processing or we have legitimate interests to retain it. You are free to withdraw your consent at any time by contacting our marketing department or using one of our unsubscribe links in our communications.
  • In some cases where you indicate consent for supplying you with additional promotional marketing material, we will share your personal data with one of our reseller partners, should your areas of interest match a solution or service they provide. We instruct all our reseller partners to communicate this data transfer with data subject affected.
  • Your personal data is stored in a marketing automation solution database, access to this is limited to authorised users and all necessary steps to ensure data security is maintained.

For further information about this form, your rights under the General Data Protection Regulation or how to exercise them, please contact Infinigate's marketing department here.

Popular Posts