The Brexit (non)-issue
It matters not a jot that the UK voted to leave the EU: your business still needs to comply with GDPR. Prior to the vote, we spoke to John Culkin, director at Crown Records Management, who warned: “It would be tempting for businesses to think that if the UK leaves the EU then the GDPR rules wouldn’t apply to them. That isn’t the case.
“Although an independent Britain wouldn’t be a signatory of the regulation, it would be impossible for businesses to avoid its implications. Any company holding identifiable information of an EU citizen, no matter where it’s based, needs to be aware.”
At any rate, the General Data Protection Regulation merely reinforces certain aspects of good information governance, which all companies should already be embracing anyway.
“There’s no point ignoring privacy by design, when that is good procedure” Culkin concludes. “The same is true of measures to protect a business from data breaches. These have reputational as well as financial implications – no matter who imposes the fine.”
Data breach notifications
One consequence is that businesses, large and small, will find themselves required to report most data breaches that impact personal data. That means notifying both the Information Commissioner and the individuals whose data has gone walkabout.
“Loss of client data is a major risk to any business, and the stakes are only getting higher,” said John Michael, CEO at iStorage. “The feedback from iStorage clients is that most data losses arise from human error, rather than any conscious contravention of the rules, or a lack of internal compliance effort.” This implies that the shift in emphasis to pro-active self-review and analysis should cut mistakes and limit data losses.
“The increase in financial risk from the new penalties will also see greater investment in encryption technology and tools to reduce the risks arising from the human element,” Michael suggested.
“Although an independent Britain wouldn’t be a signatory of the regulation, it would be impossible to avoid its implications”
The right to be forgotten
Perhaps the most written-about feature of the GDPR is the “right to be forgotten”. This gives an individual the right to order a business to erase their personal data, as long as certain criteria are met.
To find out more, PC Pro spoke to Sarah Pearce, a partner in the Technology Transactions Group at law firm Cooley LLP. She told us that data