To strengthen and unify the safety and security of the information held by companies, GDPR will replace the Data Protection Act of 1998, which gives individuals more control over what personal (not business) information is held on them by organisations.
Legislation is currently going through the House of Lords and is expected to be written into law very shortly. This means it will remain in place regardless of the outcome of Brexit and become mandatory from 25th May 2018.
What it means
Responsibility for meeting GDPR legislation lies with the Data Controller and Data Processors within your organisation.
Using Mandata systems
Please note, whilst we are not authorised to give legal advice, we have made some observations relating to Mandata systems you may find useful in implementing GDPR – please log into My Mandata to view these details using the ‘Client Login’ link at the top of this page. These points should not be regarded as a guide to implementing GDPR. We recommend seeking specialist advice as to how the legislation will affect your business.
As a system owner, it is your responsibility to control who has access to your network, systems and data.
You should assess the use of systems and data to ensure that personal information is accessible only to those people who require it as part of their job. To this end, your password policy should be reviewed to ensure that passwords are sufficiently strong and that each individual has their own personal set of credentials, and that confidentiality of passwords is assured. Menu access and user groups should be reviewed and tailored to ensure only authorised persons have access to sensitive information.
Understanding GDPR terminology – Data Subjects, Data Controllers and Data Processors.
A Data Subject is an individual who is the subject of personal data.
A Data Controller is a person (organisation) that determines the purposes and means of the processing of personal data. Companies fall into this category because of personal data held physically or electronically for persons within their own organisation or outside of it.
A Data Processor is a person (organisation) that processes personal data on behalf of the Data Controller.
It is the data controller’s responsibility to ensure that any personal data held has a valid purpose for being held, and to ensure that its handling adheres to the “Data Protection Principles”. These can be quite specific to the type of data, but include accuracy, rights of Data Subjects, retirement, technical and organisational security. The responsibility for data protection lies with the Data Controller, even if processing is delegated to a Data Processor.
A Data Controller, will need to look at all data held, electronic and physical, and determine that it needs to be held and adheres to the Data Protection Principles, be prepared for fundamental changes in the way personal data is handled, including periodic verification and data retirement. One of their responsibilities will be to define a ‘Privacy Notice’ that underpins data handling.
Processing in relation to information or data means obtaining, recording, or holding the information or data, or carrying out any operation or set of operations on the data. It includes access, storage, retrieval, disclosure or erasure. Please note the Data Controller is still accountable. The Data Processor must undertake to keep personal data secure from unauthorised access, loss or destruction, and must act ONLY under the instructions of the Data Controller.
Is there a quality standard for GDPR?
At the moment there is no certification for GDPR, but there are discussions around this, and using ISO27001 is one of the options being looked at. Mandata is certified for ISO27001.