GDPR is not just a problem for your IT department
C5 Alliance is cautioning local businesses to be aware of changes to European Union data protection laws which will have organisation-wide impact. The new EU General Data Protection Regulation (GDPR) is the most significant change to European data protection law in almost two decades.
C5 Alliance warned that this was an issue for all businesses and not just IT departments as the GDPR requires organisations to respect and protect personal data – no matter where it is sent, processed or stored.
Matt Thornton, director of professional services, C5 Alliance commented:
“There is a tendency to hear GDPR and think it’s just an IT problem; that it’s all to do with security of systems with hackers breaking in and stealing your organisation’s data. However it extends wider than systems and security.
“Internal policies and procedures will be critical to demonstrating compliance in key areas such as risk assessment, implementing privacy by design and data breach notification processes. That’s not to say there aren’t technical considerations – new requirements and individuals’ rights such as the ‘right to be forgotten’ and the ‘right to data portability’, as well as enhanced audit trails – will mean technological changes for local businesses. And of course physical security remains as important as ever.
“Businesses that invested in data protection under the Data Protection Act (1998) will stand in good stead but there is new work to be done to bring them up to EU GDPR standard.”
He said it was critical to recognise that compliance was a shared responsibility and that it would not be adequate to restrict accountability to one person such as a data protection officer. The organisation as a whole needs to be aware of the GDPR and its ramifications and those working in a technical capacity should at least be up to speed.
“It will take time, tools, processes and expertise for businesses to comply with GDPR.
“To do this, businesses need to make changes to privacy and data management practices, particularly in notifying and gaining consent from the people it holds data about; failure to do so could prove costly; companies that do not meet the requirements could face reputational harm and even fines.
“However it’s not all bad news; the regulation is not designed to be unnecessarily onerous, it clearly recognises the needs of organisations to handle data; it is seeking to provide an enhanced level of protection to data subjects and establish accountability.
“We would urge businesses to prepare for this change and, if they are unsure of how it could impact their organisation or how to develop a compliance plan, they should seek professional advice,” he said.
The head of the Channel Islands data protection regulator, Emma Martins, recently urged local businesses to prepare for this update and the States of Guernsey and Jersey have been working to ensure the islands are prepared for the impact of the GDPR which comes into effect in May 2018.
C5 Alliance’s professional services team is fully committed to data and systems’ protection in line with ISO27001 – an international standard focussed on information security standards.