Data security is a hot topic around the world and the latest, publicised breaches prove that it can happen to any enterprise, regardless of the industry or size. There have been many debates and uncertainty around the upcoming General Data Protection Regulation (GDPR) in recent weeks. The Irish Data Commissioner (IDC), has released guidance this week for businesses who hold data (which is most likely the majority of enterprises).
Here are the top six points summarised:
The Need for Business Software to Process Information Requests
At this stage, it is important to start generating awareness within your enterprise. Data controllers in the organisation should be aware of GDPR and the implications. A full review of your privacy documentation should take place and if any gaps are noted, these must be addressed before the regulation comes into place.
If you do not have any procedures around data information requests or contingent plans in place, these should be prepared and communicated across the whole organisation. Organisations will not be allowed to charge for information requests (except in extreme circumstances) and the timeframes for delivery of these requests will be dropping considerably from the existing 40 day window.
The next step is to understand what data you are holding on file. The onus is on your organisation to demonstrate compliance so it is important to review the data held by your organisation.
[cta link=”http://www.trc-solutions.com/gdpr-and-your-business/” colour=”grey”]Download the GDPR Guide from TRC Solutions[/cta]
A Data Compliance Audit will be Useful to Understand:
In certain circumstances, compulsory audits will need to be enforced in order to comply. This would apply to those organisations involved in ‘high-risk processing….where there is large scale monitoring of a publicly accessible area’.
Many applications online request information without clarifying where this information will be stored or how. Under GDPR, organisations must ensure customers are clear that they have provided consent and can not be ‘inferred from silence, pre-ticked boxes or inactivity’. A clear audit trail may be requested as proof.
GDPR introduces new procedures to protect children’s data. This includes clearer communication that underage customers will understand and permission from guardians where applicable.
Some data breaches (most notably Yahoo!), were not communicated to the IDC, offices in a timely manner. The new regulations will require breaches to be communicated to the IDC within 72 hours of the situation being discovered unless the data was encrypted. Failure to do so will result in fines for both the breach itself and the delayed reporting.
The documentation is available from the Data Protection Commissioner online. Dereck Teefy, our Director of Operations is already helping our customers prepare for the new regulation. If your organisation is in need of assistance, please contact us.
[cta link=”http://www.trc-solutions.com/?page_id=232″ colour=”grey”]Arrange a call with one of our SAP Business One Consultants[/cta]