GDPR Guidance

The GDPR (General Data Protection Regulation) is a regulation introduced by the European Union (EU) designed to improve levels of data protection and privacy for all EU citizens. The regulation was implemented on 25th May 2018, meaning from this date it was enforcable throughout the EU. In the UK, GDPR was implemented via the Data Protection Act (2018).

The primary focus of the GDPR is to improve data security and privacy, and to protect the rights of individuals to decide how their personal data is used and shared. The GDPR is concerned with the protection of “personal data”, and provides a framework where any organisation that fails to comply with the regulation faces a substantial fine.

Request a free quote

ISO-PCI QSA-PCI PAQSA - Crown

Who needs to comply with GDPR?

Any organisation that handles the personal data of EU citizens must comply with the GDPR. If your organisation works with personal data, you’ll be either a controller or a processor.

  • A controller determines the purposes and means of processing personal data.
  • A processor is responsible for processing personal data on behalf of a controller

 

What are the penalties for non-compliance with GDPR

A fine of up to €20m or 4% of global turnover could be handed to any organisation that fails to comply with GDPR, which is a compelling argument for taking GDPR compliance seriously.

When discussing GDPR with organisations, we encourage them not to focus only on avoiding the fines, which whilst important, is not the only reason to be compliant.

Equally as importantly, compliance with GDPR means an organisation or business is doing the right thing by their customers. Any organisation that handles personal data has a legal and moral obligation to use that data responsibily.

What are the penalties for non-compliance with GDPR

A fine of up to €20m or 4% of global turnover could be handed to any organisation that fails to comply with GDPR, which is a compelling argument for taking GDPR compliance seriously.

When discussing GDPR with organisations, we encourage them not to focus only on avoiding the fines, which whilst important, is not the only reason to be compliant.

Equally as importantly, compliance with GDPR means an organisation or business is doing the right thing by their customers. Any organisation that handles personal data has a legal and moral obligation to use that data responsibily.

How do I comply with GDPR?

A key principal within the GDPR is Privacy by Design. This means that organisations are obliged to consider data privacy at all stages and in everything they do, as opposed to it being an afterthought.

A Data Protection Impact Assessment (DPIA) must be conducted under certain conditions, and should be considered best practice for all projects and processes that touch personal data. A DPIA helps to identify the risks associated with any activity handling personal data, and ensures that the requirements of GDPR are “baked in” from the outset, and not forgotten.

GDPR also provides a number of rights to individuals:

  • The right to be informed;
  • The right of access;
  • The right to rectification;
  • The right to erasure;
  • The right to restrict processing;
  • The right to data portability;
  • The right to object;
  • Rights in relation to automated decision making and profiling.

The individual rights defined by GDPR must be respected by all organisations that handle personal data. To support their ongoing compliance with GDPR, organisations need to have a number of business as usual processes in place.

Where to start with GDPR compliance?

Nettitude can conduct a GDPR workshop and GDPR gap analysis to help raise awareness and understanding of the GDPR and engage with key stakeholders to gain an understanding of how it will affect your organisation. This will provide your organisation a “kick-off” for your GDPR efforts, and is aimed not only at your technical teams, but also key positions within the wider business.

Already compliant with GDPR?

Many organisations already have processes in place to support GDPR compliance, but are they currently working? Nettitude can provide assurance by testing these processes independently.

The individual rights defined by GDPR must be respected by all organisations that handle personal data. To support their ongoing compliance with GDPR, organisations need to have a number of business as usual processes in place.

This includes processes for:

  • Completing data protection impact assessments (DPIAs);
  • Responding to subject access requests;
  • Deletion of data on request (“right to be forgotten”);
  • Keeping data accurate;
  • Deletion of data that is no longer needed.

A GDPR health check delivered by Nettitude tests that these processes have been implemented, and that they are functioning as required. It answers questions such as:

  • If a customer submits a subject access request online, would we respond to it?
  • Do customers have to opt-in to marketing?
  • How can a customer update their information?
  • Are we able to respond to “right to be forgotten” requests?
  • Did we conduct DPIAs when required?
  • Would we respond to a breach correctly?