We've put together this Q&A based on the questions we're hearing from our customers - with answers in plain English. Make no mistake - GDPR is complicated. But that's no excuse for inaction.
Q1 What is GDPR?
GDPR stands for General Data Protection Regulation. In essence, this is new UK legislation for the digital age that will define good business practices when it comes to handling personal data.
Q2 Why should I pay attention?
Practically everyone agrees GDPR represents the most significant overhaul of data protection regulations for years. The most pressing reason for paying attention, though, is that huge fines will be imposed for non-compliance. Fines can be up to 4% of your annual turnover (not your profit!) or £20 million – whichever is greater.
Q3 That’s unlikely to happen to me, isn’t it?
In many ways, the most significant part of GDPR is an obligation to report a data security breach to the regulator and to those affected within 72 hours of it happening. Hushing it up is no longer an option. This mandatory disclosure will clearly impact reputations and have business repercussions.
Q4 When is it happening?
GDPR is due to become law here in the UK in May 2018.
Q5 What are UK companies doing about it?
The answer seems to be that most companies are aware of the need to do something but haven’t yet got themselves into gear. The time for action is really now. Step one is to identify security risks that you can fix straightaway.
Q6 How does Brexit affect all this given we've now triggered Article 50?
The GDPR is an EU initiative and clearly the UK will leave the European Union. However, the UK’s digital minister has already made it clear the government intends to amend UK data protection law to mirror the GDPR. So Brexit is not an excuse to bury your head in the sand!
Q7 So what does GDPR mean for my business?
The main thrust of GDPR is really about your business processes – how you get consent to capture and keep personal data. The technology piece of the story relates to being able to prove you have the strategies in place to secure and protect that data.
Q8 Will I have to hire more staff to deal with this?
Some organisations will have to appoint a data protection officer to help them comply with the requirements of GDPR. For example, data protection officers will be required for all public authorities.
Q9 Where can I find out more?
The Information Commissioner’s Office is the independent authority set up to uphold information rights and they are a good source of detailed information. There's some useful content from Kyocera on printer vulnerability.
Q10 How can Itec help me?
In the short term, an Itec Security Review can carry out a rapid independent assessment of your network and risk-score your business. This means we scan your IT systems to identify security risks - many organisations have taken steps to address external threats (e.g. PCI compliance) but we can help uncover internal vulnerabilities that are often overlooked. We will produce the report - and one of our experts will present it to you. You are charged a fixed fee based on your network size, number of servers and locations.
Longer term, we can help you develop an Enterprise Content Management strategy that can support good data security practices and so serve to keep your business compliant. And our Managed Print Services team can work with you to ensure your printing devices are secure.