When we think of computer crime or ‘cybercriminals’ we often think about the external hacker or the rogue employee stealing information. But it’s important that you know that most information breaches and problems are not caused deliberately, but are genuine human error.
We must also remember that the information we’re sharing is being held by organisations that we ‘hope’ are taking care of it responsibly. We’d like to think that the hospitals and banks we trust with our sensitive information have high levels of security and controls in place – and in most cases they do.
But did you know that there is actually a law which requires every organisation and business to take care of your data? If you didn’t, then you need to know about it – but more than this, you need to know that the law is changing!
The Data Protection Act (DPA) 1998
The DPA was passed by Parliament to control the way information is handled and to give legal rights to people who have information stored about them. But things have moved on a little since 1998, which was only two years after ‘Backrub’ (later to be renamed ‘Google’) was introduced to the world.
Since then iPhones, Facebook and Twitter were invented. Our world has certainly changed, and the amount of data we’re creating, sharing and storing has grown exponentially. Today, in 2016 we are creating more information than ever before and experts predict this is only going to increase.
So why does this matter? Because all this data is YOU! It’s your online life. From the moment you are born, to the moment you die, information is being collected, reviewed, used and shared without you even being aware of it. This is why the protection of your data (your online avatar) matters.
What does the DPA do?
The DPA places an expectation on organisations (like the one you work for, and those you share your information with) that they will put in controls around:
- Who can access your information
- Ensuring the information is accurate
- Ensuring it is only used for its intended purpose
- How the information is stored and shared
- The technical and organisational controls in place to protect your information
If there is an accidental or deliberate loss of personal information then the Information Commissioners Office (ICO) needs to be made aware of it. For example, if you lose a laptop, mobile device or a computer is hacked and information stolen, then the ICO wants to be made aware of it.
Time for something new
As previously stated, the DPA has been around without much change since 1998, and of course technology has moved on significantly since then. So on April 14th 2016 a new regulation has come into being, which will be enforced on May 25th 2018 (so organisations have two years to reach compliance).
The new regulations are called the “General Data Protection Regulations” or GDPR for short. These regulations have taken some time to be created as they are ‘Pan European’, which means that they apply to all organisations operating in and sharing information across Europe.
Things you need to know about the GDPR
Firstly, Britain had a lot of input into this new European regulations, so don’t think that ‘BREXIT’ will change the regulations – it will come into force BREXIT or BREMAIN! So don’t live in false hope that you don’t need to worry about the regulations – they’re coming. Start preparing now.
The regulations are far reaching but there are three areas which you really need to know and consider:
- Once you become aware of a data breach (ie. An accidental or intentional loss or destruction of information) then you must inform the Information Commissioners Office within 72hrs.
- If your organisation employs more than 249 people then you will need to appoint someone to be you Data Protection Officer (and it needs to be someone suitably skilled in both IT and Compliance).
- If you have a breach fines can be up to 20Million Euros or up to 4% of your global turnover (turnover – not profit).
What to do?
The first thing to do is to recognise that you have to take responsibility for data protection in your organisation. Information held ‘in the cloud’ is still information under your control and you need to demonstrate that you’re protecting it from accidental or deliberate loss.
You can go to the ICO’s website where you can find helpful information. You can also download a simple ’12 Steps to take now’ guide by clicking on this link.
If you’re still confused, then seek professional advice or guidance. There are technical controls you need to consider, but there are operational ones too. This isn’t just about IT or ‘cloud’. This is a business risk which you need to consider carefully.
The regulations are coming. Be prepared for them. They affect you personally and professionally, so be sure you know how to protect your data, and remember – the organisations that are holding information about you, need to be doing the same.
Visit the Business West General Data Protection Regulation (GDPR) page if you would like more information about how it will affect your business
Let us help you
By registering your interest, we'll be equipped to help answer any questions you may have about the GDPR and provide further information about how it will affect your business