The term GDPR has been used a lot over the past year, but it can be confusing and difficult to know what it refers to and who it applies to. In this guide, we take a look at what GDPR is, the companies that need to take note and how businesses can ensure they’re meeting the necessary requirements to be GDPR compliant.
What is GDPR?
GDPR stands for the General Data Protection Regulation and is a regulation on personal data protection that came into effect in May 2018. The regulation was created to protect people living in the European Union and aims to provide a standard for all countries in Europe by ensuring that businesses are all working in the same way in terms of data protection. GDPR requires that organisations respond to any questions customers ask about their personal data, such as whether or not they are processing the data in the first place, what data they hold and how long it has been stored. If an individual requests for a copy of their data, the organisation needs to supply that information free of charge and delete it if the individual requests for them to do so.
Who has to Comply?
GDPR applies to all private businesses, state administration and any other organisation that holds and processes personal data. It also applies to companies that operate outside of the EU, if those businesses process the personal data of individuals who live in the EU.
What Counts as Personal Data?
Personal data is at the core of GDPR, but it doesn’t apply to all of the data that a company has. Personal data is information that can be used to identify an individual. This might be achieved by putting different pieces of information together, even if their name isn’t attached to it. This means that what counts as personal data can be incredibly broad, from shoe sizes, a hobby or an image – all of these and more could be classed as personal data if it’s possible to identify who the information applies to.
How Can Businesses Ensure Data Is Processed Securely?
As a business, it’s important to have a strategy in place to process data in the correct way. Larger companies may want to invest in data protection officer services as a way of managing larger volumes of data, but these steps should be taken as a minimum for all companies:
- List out the personal data the company holds and where it is stored
- Carry out a risk assessment to pinpoint the most likely sources of hacking or leaks
- Implement a data protection plan that builds on the risk assessment, including how to collect and store only the data the business actually needs; limiting who has access to the personal data; where the data is stored and how to make that as secure as possible; and a deletion policy
- Test the security systems regularly and have regular back up checks
- Develop a data breach action plan to ensure that everyone knows what steps to take should the data be compromised