GDPRvDPA Infographic

 

Less than six months to do - What you need to know about GDPR

With GDPR now adopted into EU law, Steve Sands, Chief Information Security Officer (CISO) at Synectics Solutions highlights how it differs from the Data Protection Act, and the implications for lenders. The new regulations will bring significant changes in the coming months and in the context of the UK’s departure from the EU, the pros and cons of the legislation have been pulled sharply into focus.

Steve, can you start us off by explaining what the GDPR actually is?

The GDPR replaces the Data Protection Act (directive 95/46/EC) and affects all UK companies who process or store personal information. It’s focused on looking after the privacy and rights of the individual, and based on the premise that consumers and data subjects should have knowledge of what data is held about them, how it’s held, and other core information that the Data Protection Act did not demand. Whilst it’s designed to strengthen and unify data protection for individuals within the European Union, it does also deal with the export of personal data outside the EU too.

What are the main differences between the GDPR and the Data Protection Act?

Well, we’re down from eight principles to six now and these focus on the intent with which any data is accessed and used being lawful, fair and transparent, and that it is for specified explicit and legitimate purposes. It’s also focused on data being adequate, relevant and limited to what’s necessary in relation to the purpose of the data access. Consideration is given to how accurate the data that’s held is and how it’s kept up-to-date, plus that it’s only held in a form where the data subject could be identified for no longer than necessary.

So all positive then?

Well yes and no. There are new accountability requirements with the kind of sanctions and breach penalties that will make businesses sit up and take notice – fines can reach up to 4% of a business’s turnover or €20m! And the penalties and sanctions will apply directly to data processors as well as data controllers. That’s all good, because it means data protection will be raised up the priority list, much as health and safety has over the last decade or two. It’s also positive that there’s a higher standard of ‘fair processing notices’ which means that you need more details around where the processing is based, how long the data is retained, what purposes it’s used for and the like. All and any transparency like this can only be a good thing.

The GDPR affects both data controllers and data processors, and a data protection officer with expert knowledge and a level of independence is required for bigger businesses. Whilst it may be that the Data Protection Officer doesn’t need to be in-house, we’re likely to see a real shortage of expert consultants and we’ll need legal teams to step-in at first and pick up the slack.

With Brexit on the horizon, do we really need to worry about the GDPR?

We certainly do. It will take two years for our exit from the EU to be agreed, and the GDPR will become fully enforceable from 25th May 2018. We simply don’t know what will happen after the UK leaves the European Union, but it’s been suggested by some ministers that all EU laws we’re governed by will become enshrined in UK law for ease, before the process of reviewing, debating if needed, and then keeping, refining, or dropping them starts. Whether GDPR survives this process I can’t say, but the risk of fines at 2 to 4% of turnover must be absolutely front of mind for businesses not planning to comply.

How is it all being ‘policed’?

The Information Commissioner’s Office (ICO) is leading on it and they have a reputation for being fair, but it’ll be interesting to see how their funding evolves as we move forwards – after all, their role will massively increase and they’ve always avoided being funded from the proceeds of fines in the past as they see that it adds a layer of complication. In terms of prosecutions, they could take action from the 25th May 2018, but I suspect they’re more likely to choose their battles and initially focus on those wilfully not complying.

Do you foresee any problems?

Potentially yes. There’s an enormous burden on data processors as well as data controllers, and that’s never happened before. How will the huge cloud providers deal with their requirement to check compliance? Fines are a percentage of turnover and they’re likely to apply to them too, plus they have the reputational risk, after all as consumers we could hold both the data processor and the data controller responsible. And all of that could see costs being passed on to the end users.

Also, Subject Access Requests used to carry a £10 charge but will now become free and that’s likely to see an uplift in requests with only limited protection for all bar the most frivolous. How ready and able are most businesses to deal with this? And finally, the GDPR enshrines the right of portability, which sees data, in theory, needing to be packaged up electronically and ported over to a new company, before being removed from the first company’s system. How many are set up for this?

It’s a case of watching and seeing how it all plays out but I strongly advise every business to consider how the GDPR will affect them, and to start planning for it now. At Synectics Solutions we’re well advanced in our preparations, and we’re supporting some of our clients with their own requirements.

For more information contact Synectics Solutions on 01782 664000, email This email address is being protected from spambots. You need JavaScript enabled to view it. or visit www.synectics-solutions.com

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Bio for Steve Sands

A risk and compliance professional, Steve leads on all aspects of cyber-security, privacy and data protection for Synectics Solutions. A qualified ISO27001 Lead Auditor and a Data Protection Practitioner (PC.dp), Steve is a Full Member of several industry bodies including the Institute of Information Security Professionals (M.Inst.ISP), the British Computing Society, The Chartered Institute of IT (MBCS), the Information Systems Security Association (ISSA), and the Information Systems Audit and Control Association (ISACA).

About Synectics Solutions

Synectics Solutions is a pioneering data solutions and software development firm which has been providing cutting-edge software products to clients across the finance, insurance, automotive, public sector, and private sectors for over 25 years. Focused on fighting crime and protecting clients against fraud, its products are able to spot patterns and identify networks invisible to the human eye.