GDPR comes into force on May 25th 2018. Lots of the companies that we do business with have been in touch with their ‘Compliance Requests’ – we’ve been sending ours out too.
As we get closer to May 25th companies are sending out letters and emails asking about their supplier’s data processes and the types of data they store.
Pentesec have been no different, sending and receiving GDPR Compliance Requests, making sure that our data is suitably protected and sanitised.
We’ve spent today training our staff to ensure they understand what GDPR means for all of us.
If you are struggling to get to grips with GDPR yourself, reach out. We can link you to experts who will gladly walk you through what you need to do.
In the meantime, here are some quick facts about GDPR that you might want to know:
- GDPR is a regulation in EU Law which defines how the privacy of individuals within the EU should be protected.
- Organisations worldwide are expected to comply with GDPR if they process data about EU residents, regardless of the country they operate in.
- GDPR aims primarily to give citizens and residents control over their personal data and to simplify the regulatory environment for international business by unifying EU regulations.
- GDPR applies to businesses of all sizes, and anyone processing personal data.
- GDPR is not a final and static rule book, it will continue to evolve indefinitely much like the Data Protection Directive has done since the 1990s.
- Not every violation will result in a hefty 20 million euro fine or 4% of an organisation’s turnover. Corrective measures will be used to put pressure on controllers and processors to become compliant.
There are a wide range of ‘data types’ to consider, personal data is not simply ‘personal data’ under GDPR.
- There is ‘Private Data’ such as IP addresses, Street Addresses, or your Name. This can be used for making business decisions such as supplying a mortgage or providing insurance.?
- Sensitive data, such as religion, sex, union membership or level of education however, cannot be used for making business decisions.
A data breach is a confirmed incident in which sensitive, confidential or otherwise protected data has been accessed and/or disclosed in an unauthorized fashion.
- You have 72 hours to report a breach and should create a plan for doing so.
- Regulators aren’t expecting zero breaches, they will be expecting reasonable efforts to be in place to combat breaches, and reasonable efforts to fix the breach you’ve had.
- Individuals affected by a breach may be entitled to compensation should the breach lead to any damages
At Pentesec we have created ways to ensure our data is relevant and secure, and we are working on processes to ensure that moving forward we don’t miss anything.
If you need any help at all, get in touch at firstname.lastname@example.org and we’ll do what we can to help.