If you would like to discuss your needs, call us on 01844 291110
The General Data Protection Regulation
The EU GDPR Regulations come into force on 25th May 2018. All organisations that keep personal data regarding an identifiable EU citizen must comply by that time.
The UK already has good regulation in this area brought into law in 1988 by The Data Protection Act (DPA) and overseen by The Information Commissioner’s Office. The EU has built upon the DPA so that it applies to all European citizens and their personal data. The GDPR regulations require all business, large and small, UK and worldwide, that keep personal data regarding an identifiable European citizen must be able to demonstrate compliance with six key principles:
- Personal data kept must be processed fairly and in a transparent manner,
- It may be collected only for specified, explicit, and legitimate purposes,
- Data must be adequate, relevant, and limited to that which is necessary for the purpose,
- Data must be accurate and up to date,
- Kept for no longer than necessary, and
- Kept appropriately secure using technical or organisational measures.
The responsibilities of the data holder extend to any sub-contractor that processes data on its behalf. Businesses must ensure that they have safeguards in place to protect the data and rights of individuals.
In addition, the regulation confers a number of rights upon EU citizens including:
- The right to be informed,
- The right of access,
- The right to rectification of errors,
- The right to erasure,
- The right to restrict processing, and
- The right to object
However, if the business has a ‘legitimate business reason to keep and process data (such as to operate a payroll system) then the organisation may keep this data for, at least, as long as is legally required.
Businesses that collect and use data for marketing purposes may need to ensure that they have ‘explicit and unambiguous consent’ from the individual to collect, hold, and use the data for that purpose. This consent cannot be assumed.
All businesses should follow the following action plan regarding their use of personal data:
1) Appoint a suitable manager to be accountable to the board for GDPR compliance,
2) Think about and document all personal data kept and how it is processed,
3) Determine the legal basis for keeping each set of personal data. Is there a ‘legitimate business reason’ or must ‘explicit and unambiguous consent’ be obtained?
4) Write policies that underline the organisation’s commitment to protecting data and applying the GDPR principles,
5) Ensure contractors that process the data are bound into these policies,
6) Ensure that systems and storage (whether manual or IT) are sufficiently secure,
7) Determine and document the actions to be taken if individuals invoke their rights, and
8) Determine and document the actions to be taken in the event of a breach of the regulation.
Boffins and You
Boffins is committed to the principles of data protection embodied in the European GDPR regulations and will do its upmost to comply with any GDPR obligations that you place upon us in our contractual relationship. Boffins considers that it has a legitimate business reason to store user information (e.g. name, logon name, job function, location(s), email addresses, and details of conversations and work performed) in their computer systems for the purpose of:
- Providing IT support to the Customer’s users,
- Legitimate business correspondence, and
- Providing information about products and services offered.
Boffins Computer Workshops is an IT systems and support company, not a GDPR compliance consultant. Nor are we authorised, or able, to give legal advice. This guidance is freely offered and Boffins accepts no liability regarding the GDPR responsibilities or actions of the reader.
Over and above our normal support activities, Boffins is able to provide assistance to organisations that need to comply with GDPR regulations. These include:
- A comprehensive security review to assess the effectiveness of the organisations defence against cyber-attack. We can identify vulnerabilities and suggest ways in which security can be tightened through technology and policies,
- The implementation of advanced firewalls that use policy based rules and perform deep inspection of traffic in and out,
- Routine penetration testing of the network perimeter for GDPR and PCI compliance,
- Anti-Spam and Anti-Virus scanning of email outside the network perimeter to drastically reduce the risk of infection and data loss,
- Encryption of data on portable devices and in transit between sites using leased line or internet connections, and
- Regular patching of systems to protect against emerging cyber vulnerabilities.