GDPR news: UK data watchdog opens GDPR helpline for SMBs

GDPR at a glance

The General Data Protection Regulation (GDPR) comes into force in the UK on 25 May 2018, replacing the Data Protection Act 1998. Designed to give people more control over their data, GDPR represents a challenge to organisations, who must bring their data protection policies into line with the regulation by the 2018 deadline. GDPR will compel organisations to secure clearer consent for using people’s information, and will introduce tougher fines for failing to protect people’s data.

This hub collates all the latest GDPR news as it happens, but please follow these links for more information on what the GDPR is, and how to prepare for it. Separate facts from the hype about GDPR with our article puncturing marketing hyperbole.

03/11/2017: The Information Commissioner’s Office (ICO) this week launched a helpline for SMBs preparing for the General Data Protection Regulation (GDPR).

The phone service, which opened on 1 November, is designed to address the specific data protection challenges facing the estimated 5.4 million SMBs operating in the UK.

With staff on hand to answer questions, the service acts as an extra resource to the ICO’s existing guidance, with an emphasis on helping people with obstacles particular to their businesses.

Information Commissioner Elizabeth Denham said: “Small organisations want to be ready when the new law comes into force in May 2018, but they often struggle to know where to start.

Just 25{dbfcf201b6c5c222e259d4f2fe846e83faab30e5cf4cea18302fdf949135a1d7} of small SMBs are prepared for the GDPR. Learn how SMBs can bridge the GDPR gap in this free whitepaper from Kaspersky.

Download now

“They may have less time and money to invest in getting it right and are less likely to have compliance teams, data protection officers or legal experts to advise them what to do.

“Our new phone service and all the other resources already on our website plus even more advice and guidance yet to come will help steer small businesses through the new law.”

The ICO already offers firms of all sizes a 12-step guide to preparing for GDPR, which comes into effect in the UK from 25 May 2018, giving people more rights over their data, and imposing tougher fines on organisations that fail to protect it.

The data protection regulator is also revising its SMB toolkit in order to help firms fill any gaps they have discovered in their preparation for GDPR. Around 9,000 businesses a month have used the toolkit since January 2016, while the ICO\’s 12-step guide has been viewed 73,000 times since May 2017.

06/08/2017: One in five large UK businesses are completely in the dark when it comes to the application of GDPR in their organisation, according to new data.

Citrix’s survey of 500 IT decision makers in such organisations found that 20{dbfcf201b6c5c222e259d4f2fe846e83faab30e5cf4cea18302fdf949135a1d7} didn’t know if their company’s policies are compliant with GDPR.

One of the major problems facing these businesses is data sprawl. The study found that 21{dbfcf201b6c5c222e259d4f2fe846e83faab30e5cf4cea18302fdf949135a1d7} of respondents use more than 40 systems to manage and store personal data – almost double the national average – with 47{dbfcf201b6c5c222e259d4f2fe846e83faab30e5cf4cea18302fdf949135a1d7} saying they share this information with other organisations. Of that 47{dbfcf201b6c5c222e259d4f2fe846e83faab30e5cf4cea18302fdf949135a1d7}, nearly half share the data with more than 50 companies.

While the majority said they retain complete control of this data, 15{dbfcf201b6c5c222e259d4f2fe846e83faab30e5cf4cea18302fdf949135a1d7} said they don’t.

These figures present several problems. First, GDPR requires people’s consent for their data to be held and shared – consent that will have to be reaffirmed actively once the legislation comes into force in May. Second, EU residents have the right to access all the data held about them at any time and also to request their data is removed at any time. Both of these may be a challenge when so many systems are used and if the data is no longer in the full control of the initial data controller.

Another issue raised by the survey is understanding data ownership – a key tenet of GDPR. Only 27{dbfcf201b6c5c222e259d4f2fe846e83faab30e5cf4cea18302fdf949135a1d7} of those questioned thought personal data belonged to the customer, with 50{dbfcf201b6c5c222e259d4f2fe846e83faab30e5cf4cea18302fdf949135a1d7} thinking it belongs to the organisation holding it.

Chris Mayers, chief security officer at Citrix, said: “Ensuring data privacy processes and systems are in place – from privacy by design to privacy by default – requires an organisation to know exactly where their data is and who can access it. Yet many are losing sight of data, spread across multiple systems and shared with multiple partners, while also struggling to scale up to store and control the huge influx of personal customer data they receive today.”

“Businesses must recognise that more centralised application and data storage environments will make it easier to meet technical compliance goals. This centralisation can be achieved in various ways, from introducing unified access controls across on-premise and cloud services with single sign-on to rolling out centrally-managed virtual workspaces. However it is done, controlling data sprawl and recognising enterprise accountability around data privacy will be key to GDPR compliance,” he added.

20/07/2017: The Cloud Industry Forum (CIF) has responded to what it sees as “uncertainty” in how authorities will determine data protection compliance by drawing up its own standards.

The EU General Data Protection Regulation (GDPR) comes into force across the soon-to-be 27 nation bloc 25 May 2018, by which point any organisations handling EU residents’ data must be compliant or face tough fines for breaches, of up to 4{dbfcf201b6c5c222e259d4f2fe846e83faab30e5cf4cea18302fdf949135a1d7} of their annual turnover or €20 million, whichever is greater.

BCIF is the latest organisation to air doubts that data protection authorities have a clear idea of how companies can achieve compliance, however, with no clear standards yet drawn up.

“It’s incumbent on cloud service providers (CSPs) to be able to demonstrate they have the required capabilities,” said CIF CEO Alex Hilton.

“However, in many ways the GDPR is an abstract and non-prescriptive piece of legislation and the absence of a concrete standard makes it difficult for certain companies to be sure that what they have put in place is compliant.”

As a result, CIF has updated its Code of Practice for CSPs to ensure they’re compliant with the stricter data protection rules, which hand EU residents more control over their personal data and require organisations holding or processing the data to be transparent about what they’re using it for.

Under GDPR, companies using cloud services are still liable for any breaches of the new rules, even if the breach is the CSP’s fault, so understanding that a CSP is compliant will be an important factor in deciding whether to sign a deal with them.

Frank Bennett, CIF deputy chair, said: “Customers selecting a new provider will include GDPR in their due diligence. For service providers, GDPR is a mission critical event for the retention of existing customers and winning new customers and the CIF Code is there to provide assurance to customers.”

Collaboration platform Box’s VP of compliance, Crispin Maung, told IT Pro earlier this year that data protection authorities “are struggling with figuring out what GDPR compliance really means and how they are going to measure [it]”.

Meanwhile, retailer John Lewis and bank HSBC both criticised the UK data protection authority’s guidance so far on GDPR compliance, calling it “woolly”.

Original article source:

Sharing is caring!

Leave a Reply

Your email address will not be published. Required fields are marked *