What is the General Data Protection Regulation (GDPR)

The GDPR is a global data protection law that extends beyond companies that operate only in the EU. For any organisation that targets consumers in the EU, processes the personal data of EU subjects, or monitors the behaviour of EU data subjects, must comply with the requirements of GDPR.  

 

  • GDPR was enforced from 25th May 2018.

  • Has been developed to bring data privacy rules up to date while protecting the rights, privacy and freedom of natural persons in the EU.

  • Applies to any organisation in the world that processes data of an EU subject.

  • Covers all activities of collection and processing of personal data.

  • Heavy Penalties;  

“Under GDPR, organizations in breach of GDPR can be fined up to 4% of their annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements  
e.g. Not having sufficient customer consent to process data or violating the core of Privacy by Design concepts.

Key Definitions of GDPR:

  • Personal Data - any information relating to identifiable natural person (data subject). Example; name, date of birth, IPs, email address, biometric data.

  • Processing - any operation performed on personal data.

Data Controller - person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.

  • Data Processor - entities that process the personal data on behalf of the data controller.

  • Data Subject - an individual who is the subject of personal data. In other words, the data subject is the individual whom particular personal data is about. 

 

Data Subject rights:​

  • The right to be informed

  • The right of access

  • The right to rectification

  • The right to erasure

  • The right to restrict processing

  • The right to data portability

  • The right to object

  • Rights in relation to automated decision making and profiling.

Data Protection Principles:

Under the GDPR, the data protection principles set out the main responsibilities for organisations.

Article 5 of the GDPR requires that personal data shall be:

  1. Lawfulness, Fairness & Transparency: processed lawfully, fairly and in a transparent manner in relation to individuals;​

  2. Purpose Limitationcollected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;

  3. Data Minimisation: adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

  4. Accuracy: accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

  5. Storage Limitation: kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;

  6. Integrity and Confidentiality: processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.


Article 5(2) requires that:


Accountability and Compliance: the controller shall be responsible for, and be able to demonstrate, compliance with the principles.

For more details check the Information Commissioner's Office Guide to GDPR

 

Preparing for the General Data Protection Regulation (GDPR)

  • Awareness

    • Making sure that decision makers and key people in your organisation are aware of the GDPR. They need to appreciate the impact this is likely to have.

  • Information you hold

    • Documenting what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.

  • Communicating privacy information

    • Reviewing your privacy notices and put a plan in place for making any necessary changes for GDPR implementation.

  • Individuals’ rights

    • Checking your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.

  • Subject access requests

    • Updating your procedures and plan how you will handle requests within the new time-scales and provide any additional information.

  • Lawful basis for processing personal data

    • Identifying the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.

  • Consent

    • Reviewing how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.

  • Children

    • Deciding whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.

  • Data breaches

    • Making sure you have the right procedures in place to detect, report and investigate a personal data breach.

  • Data Protection by Design and Data Protection Impact Assessments

    • Familiarising yourself with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation.

  • Data Protection Officers

    • Designating someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer.

  • International

    • If your organisation operates in more than one EU member state (ie you carry out cross-border processing), you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.

 
How Meta Defence Labs can help with your GDPR Readiness 
  • GDPR Awareness Session To The Leadership Teams 

 

This is the first step to achieving GDPR readiness for your organisation. Awareness sessions helps board level management to identify how GDPR can impact the organisation, and analyse any risks. Contact us to book an awareness session

  • GDPR Readiness review / Gap Assessment

 

When achieving GDPR readiness for your organisation. The review helps board level management to identify gaps on how prepared the organisation is, and what they need to prioritise on achieving compliance. Our consultants can help you get an action plan to address and GDPR requirements followed by the review.   Contact us to book a review.

  • Data Protection Officer (DPO) as a Service

Cost of having an independent in-house Data protection officer would be around £100000 p.a, you also need to account for recruitment fees on top. Having an external DPO can assist you in reducing costs and receiving independent advice. get in touch to find out more

  • ISMS Gap Analysis

You could have security without privacy, but you could not have privacy without security. A qualified ISMS auditor will interview key business owners and perform an assessment of the organisation’s existing information security measures and documentation based on the scope agreed. Following the assessment, a report will be produced on the findings with respect to compliance areas against ISO 27001 and Industry standards; also containing required improvements with recommendations. Contact us​ to book an assessment.

  • ISO 27001 Implementation and Audits

 

We can help you plan and implement your Information Security Management System  (ISMS) aligned with ISO 27001 Standard and even achieve certification. We also conduct ISMS Audits to help our clients to assess and maintain a resilient ISMS.

  • IASME + GDPR Information Security Certification and Audits

Audited IASME Governance (also known as IASME Gold) is an independent on-site audit of the level of information security provided by your organisation. It offers a similar level of assurance to the internationally recognised ISO 27001 standard but is simpler and often cheaper for small and medium-sized organisation to implement. Meta Defence Labs, as a certification body for IASME, can work with you to achieve IASME Gold Certification by helping you implement a cost effective and resilient ISMS. More Information on IASME.

  • Training Workshops

We conduct tailored training workshops on Cybersecurity and GDPR Readiness for C-level executives, board members and staff. Get in touch to book a session with us.

 
Need more details? 

We are here to assist. Contact us by phone, email or via our Social Media channels.