Companies that collect, store or process data relating to any EU resident will be required to comply with the new EU regulation by May 2018 if they don’t want to face significant penalties.
It is anticipated that, due to the nature of cloud based services, many companies will not be aware of their need to comply. Microsoft have promised its cloud services will be compliant with GDPR by 2018. But companies using the services of Microsoft or any other GDPR compliant cloud service providers will still be required to take further action.
The data protection principles are similar to the principles set out in Directive 95/46/EC (the Data Protection Directive), but a new accountability principle now makes controllers responsible for demonstrating compliance with the data protection principles.
This means that if you handle the personal details of your customers you need to undertake the following activities:
- You should reduce the amount of personal information you store, ensuring that you do not store it for longer than necessary.
- You must obtain consent when processing children’s data
- There must ensure clear and affirmative consent is provided when processing private data.
- If you work for a public authority a Data Protection Officer must be appointed. This is also the case where core activities involve “regular and systematic monitoring of data subjects on a large scale” or where large-scale processing of “special categories of personal data” takes place.
- You now need to adopt a risk-based approach when undertaking higher-risk data processing activities.
- You will be required to report data breaches to the data protection authority when it represent a risk to the rights and freedoms of the customer.
- Your customers now have the right to be forgotten
- You have to consider the risk of transferring data to countries outside of the EU.
- If you process data you now have to meet stricter legal obligations, meaning you can be held liable for data breaches.
- Your customers can now request a copy of personal data in a format usable by them.
- Privacy in your service or product is to be taken into account from inception through to delivery.
- Data should only be collected to fulfill specific purposes and discarded when it is no longer required, to protect data subject rights.
If you are concerned about compliance with GDPR, you can protect your organisation by implementing an Information Security Management System (ISMS). ISO 27001 offers businesses an ISMS which follows international best-practice and will help you to put processes in place that protect all information assets, not just customer information or information that is stored electronically.
To find out how you could implement an ISO 27001 information security management system in 45 days or how it can help you to ensure compliance with GDPR requirements, contact QMS today on 0333 344 3646 or email firstname.lastname@example.org.