Storing Personal Data Under GDPR

May 30th, 2017

There is now less than a year to go before the UK’s Data Protection Act (DPA) is replaced by the EU’s General Data Protection Regulation (GDPR), which will have huge implications for any business that stores personal data online.

The new regulation will take effect on 25 May 2018 and the Government has confirmed that, Brexit notwithstanding, it will adopt the new legislation. The regulation will enforce complex data obligations for businesses and issue damaging fines for breaches. However, many firms remain entirely unprepared for the changes and it is believed that by the end of next year, more than half of them will not be fully compliant with the GDPR’s requirements.

What will change in 2018?

The DPA dates from the 1990s, so the amount of data businesses have the means to collect and store has increased hugely. These days most businesses not only collect personal data but also store, move and access them online. Cybercriminals have been quick to see this opportunity to hijack sensitive data and regularly attempt to capitalise on it, as has been seen with the recent ransomware demands on the NHS and others.

In 2016 alone, businesses in the UK lost more than £1bn to cybercrime, with criminals getting access to the most personal details of the customers of these firms. Add to this that a recent report has found that cybercriminals believe smaller firms to be ‘softer targets’ than their larger counterparts, and small and medium-sized enterprises are going to have to sharpen up their act.

Tighter data regulation is therefore to be welcomed but many businesses in the UK are just not prepared, so could be in for a shock, as ignorance will be no defence for the SMEs who fail to comply with it.

SMEs will need to tighten up on consent

One of the biggest changes facing SMEs under GDPR is consent. From next May, firms will have to keep a thorough record of how and when an individual gives consent to store and use their personal data, including an audit trail. Moreover, people will have the right to withdraw their consent at any time and, if they do, the firm storing their data must permanently erase their details, not just delete them from a mailing list.

If there is an attack

In the event a business’s security is breached, the firm must inform the relevant authorities within 72 hours, giving full details of the breach and how they are proposing to mitigate its effects. They will need to explain what personal data they hold, where it is located – on PCs servers or in the Cloud – and have procedures in place to ensure its complete removal, if requested to do so.

Preparing for the new rules

In order to be compliant from day one, businesses will need to have a full information audit and, for many of them, a culture change. This means they should start now to have everything in place by next May.

Since end users are generally regarded as the weakest links in cyber defence, cybersecurity must begin with the individual, so all personnel will need security training and the business’s owners will need to realise that adhering to security protocols is not just the job of the IT department, but the concern of everyone.

Therefore, any businesses that require assistance in becoming compliant, changing their culture or carrying out their audit should contact the Briars Group as soon as possible, as time is ticking away.

Kate Jolly

Kate co-founded Briars in 1991 with Andrew Brierley. She specialised in tax law and today continues to advise clients on international operations, particularly land, expand and exit! In her spare time Kate is a Past Master of the City of London Guild of Entrepreneurs and a Director of CCARHT (Cambridge Centre for Applied Research into Human Trafficking).