What has the EU ever done for us?

Well, apart from paid maternity, sick and annual leave; clean(er) water and now from May 2018 onwards, increased protection for how every European’s (sorry Brexiteers, this is you too..) personal data is managed and transferred by the organisations that hold our personal data. If your organisation collects or stores personally identifiable data from any European (or British) individual, this legislation will affect you even if you are located outside Europe. Compliance with the GDPR involves employing encryption, strong key management, processes to verify the user identities are legitimate and to allow users to be “forgotten”. Notification of data breaches to your local data protection authority will also become mandatory. The GDPR regulation is broad, the penalty regime is substantial, and full compliance with the GDPR is mandatory, worldwide.

Brexit will not save you as the UK Government has already committed that the EU GDPR will apply to all organisations [1]. No matter whether you are a company with a big payroll, a charity, or a social club that meets on the weekends and only keeps records of membership dues in an Excel spreadsheet, you will be required to comply. A recent survey of 1,350 non-IT business decision makers across 11 countries showed that 61% of UK organisations were not aware that the GDPR applies to them [2]. As HR departments deal with personally identifiable data, it is surprising that, “44% of European HR professionals do not know what General Data Protection Regulation (GDPR) is” [3].

The penalties for failing to comply with the GDPR are fines of up to 20 million Euro, or 4% of annual turnover, whichever is greater.

The spirit of the new law provides new enforcement powers to Government and gives European Citizens greater control over their data. There is a new statutory right for owners of records to be, “forgotten”. Personally identifiable data must be encrypted with strong public/private key encryption and in the event of any breaches, your local data protection authority must be notified promptly, and in some cases the owners of the breached records too.

Strong key encryption may need to be adopted (if you are not using it already) on records, files and the transport layer (network). Strong key encryption applies to data held on both on-premises (servers, desktops, laptops, mobile devices including any personal devices that your staff may be using under your “BYO” policy – and travelling devices (HMRC still haven’t recovered all their missing laptops and memory sticks!), and at home). Your use of any hybrid or cloud services (e.g. Amazon EC/S3, Microsoft Azure, Rackspace Cloud, DropBox, Google Drive, Microsoft OneDrive) also require a review to ensure compliance (the GDPR imposes extra conditions on the transfer of personal data outside the European Union and prohibits the retention of data in some countries). At a minimum organisations’ data controllers must know where information is stored, including subcontractors and agents’ data is retained on their behalf. All the mentioned services provide a platform (PaaS) and infrastructure (IaaS) security of the physical data and SSL encrypted transport layer security, but what happens to the data stored is ultimately your responsibility, not the responsibility of these software vendors.

If a breach occurs and the data controller can demonstrate that it was a “Secure Breach” (in other words, a breach of strongly encrypted data), then fines may be lessened.

Organisations may need a policy on what to do in the event of a data breach. Here’s an example of our commitment to data breach notifications from the Evolved Software Privacy Policy;

GDPR compliance is an opportunity to review your business processes, as well as your data security, and undertaking a comprehensive assessment now may well identify areas of non-compliance before the regulation starts in May 2018.

Evolved Software Studios Ltd have conducted an internal audit and implemented processes and controls that meet or exceed the requirements for the new EU General Data Protection Regulation. Evolved Software stores and processes payroll data on behalf of hundreds of thousands of individuals across the UK, and the data is encrypted, stored within the European Union and transferred using the highest security and encryption standards between endpoints that we control.

Feel free to contact me to arrange a no-obligation phone call or send me an email or a message if you have any questions or concerns about the new data protection regulations.

– Mike Wilson, CTO Evolved Software Studios Ltd

Sources:

[1] http://www.parliament.uk/documents/commons-committees/Exiting-the-European-Union/17-19/Sectoral%20Analyses/36-Technology-ICT-Report%20FINAL.pdf (Paragraph 23, Technology ICT Report, House of Lords European Union Committee, 2017)

[2] https://www.nttcomsecurity.com/en/risk-value-2017/ (NNT Security, 2017)

[3] https://www.sdworx.com/en-us/press/2017-11-28-44-of-european-hr-professionals-does-not-know-what-gdpr-is (sdworx.com, 28th November 2017)

[4] https://evolvedsoftware.com/privacy-policy/ (Evolved Software Privacy Policy)