Our latest blog features our Technical Director Martin Miles answering questions on the hot topic of the forthcoming General Data Protection Ruling (GDPR) that becomes enforceable from 25th May 2018.
What is GDPR?
The General Data Protection Regulation (GDPR) has been live since April 2016 but we have had a 2-year grace period before mandatory compliance begins on 25th May 2018. This regulation replaces the 1995 EU Data Protection Directive (DPD) and is a major overhaul with substantial fines for noncompliance reaching up to 20m euros or 4% of annual revenue for serious breaches.
What’s covered by GDPR?
GDPR gives individuals 8 rights with regards to their personal data:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
Organisations will need to:
- Identify stores of personal data
- Govern the creation, management and access to personal data
- Establish controls to protect personal data and prevent breaches
- Maintain required documentation, manage requests and notify of breaches
What is personal information?
According to GDPR personal data is any information relating to an individual, whether it relates to their private/professional or public life. Depending upon the context, it can be anything from name, home address, email address, bank details, medical information, social networking posts or even photos where the person can be easily identified.
What are the implications of GDPR?
The new ruling has been introduced to help prevent the data breaches that have seen individuals and companies left very vulnerable. Issues such as identity theft are addressed to a degree by the new ruling.
The ruling will see stricter and more far-reaching controls on data collection, retention, use, transfer and disposal. As an example, it is strongly recommended that removable disks and laptops have their hard drives encrypted making any stolen hardware effectively useless to anyone that doesn’t have the encryption key.
Does Brexit mean this won’t be relevant to the UK?
The Government have confirmed the UK’s decision to leave the European Union will not change the roll out of GDPR.
What does this mean for my intranet?
Staff communications are a focal part of your company’s obligations under the new ruling. In fact GDPR makes a specific provision that staff have the right to give or withhold consent for their personal information to be stored and used. If a member of staff refuses, this can’t be viewed detrimentally.
This makes your intranet software more important than ever, to help you ensure you only use employee’s data for purposes for which you have a legal reason, or they have given consent.
If you are storing information about your clients, suppliers, etc. you must document how you will use their data, how long you will hold it for and, if requested, in what way you will dispose of it.
To help with the introduction of GDPR, you can utilise collaborative working areas, such as our Engage team spaces to help ensure everyone who needs to, reads, edits and rolls out important documentation and content.
What are we at SORCE doing to help clients be GDPR compliant with Engage?
Focusing on one aspect, “the right to erasure”, SORCE are creating anonymisation capabilities to ensure that you can retain database integrity, whilst removing the user’s identifiable information. Companies will have their own policies and procedure for the removal of data, but we will be providing tools to make implementing these processes simpler.