Summer 2017 GdPR date for your diary New rules governing the way in which organisations store and use peoples personal data come into force next year so gen up on the regulations now to avoid a last-minute panic Make a note of it 25 May 2018. Thats when the new General data Protection Regulation (GdPR) comes into force in the uK, replacing the data Protection Act (dPA) obligations. The GdPR, which is being implemented regardless of Britains decision to leave the European union, requires businesses to review the personal data they hold. If a person can be identified from this data, organisations must ensure it is being held and used for specific purposes only and, in many instances, with the consent of the individual. organisations must also make sure that processing of this data, by themselves or a third party, is done lawfully and securely. You will have to look at: l The data you hold l Why you hold it l Who you share it with and what they do with it l How you and they protect the data l How you use data shared by others And you have to make sure all of this complies with the new regulation. Suddenly, 25 May 2018 doesnt seem so far away! Even if the GdPR does not require you to make significant changes to your processes and systems, you will still need to demonstrate compliance if audited. Many mistakenly believe the regulations wont apply to them or underestimate the effort required to become compliant. But the short of it is, this affects all organisations in the UK Many mistakenly believe the regulation wont apply to them, or underestimate the effort required to become compliant. Some have not yet heard of the GdPR but the short of it is, this affects all organisations in the uK. If you have been procrastinating about cyber security, the GdPR offers an impetus to get started, because the need to have good protection of data is mandated in the regulation. It allows for punitive measures to be applied for breaches of the regulations and it has been noted that the fines for some high-profile violations would be orders of magnitude more severe than under the existing dPA. In one well-known case, the estimated fine would be 175 times larger under the upcoming regulation. To be clear, there does not have to be a data loss for a fine to be levied. If an organisation is audited by the Information Commissioners office (ICo) and its procedures for holding and processing personal data do not comply with the GdPR and/or insufficient care has been taken to protect that data there are grounds for a fine. Cyber Essentials, a recommended set of controls against which to audit yourself periodically, is a great starting point from which to build the protection and security element. The IASME information assurance standard takes you even further, and then there is ISo 27001, which despite what many commentators suggest is not only for large companies. Certification against one of the standards demonstrates data security. However, it is not the certificate that protects you although certification will probably be viewed very positively by the ICo it is the action. Put the principles into place and do self-audits to demonstrate compliance. You can certify later. We have started so should you! Click here to learn more about the GdPR. Credit: Stephen Wright Images: iStock RobsonAbbott/ klenger / abluecup for further information, please contact your local trading Standards Service