Data Security and the GDPR – What could it mean for employers

Cyber security is right at the top of the todo list for many organisations at the moment. With the recent attacks on the NHS and with every reason to expect more attacks in the near future, it is no wonder it is such a hot topic. The need to secure data has never been more important. As a result, cybersecurity is the topic of conversation for many people in everything from the main news feeds to the watercooler chatter. However, while we need to certainly keep pressing ahead to stay one step in front of the dangers, there is a big change looming in the data protection arena that could well have an effect on how we address data protection.

GDPR comes into force in May 2018

I am sure that by now everyone is well aware of the new General Data Protection Regulation GDPR that is due to be implemented in May 2018. If you are not, then you probably should be because it is going to be pretty far reaching and it affects everyone. In a nutshell, it is going toughen up on the existing data protection laws in a series of ways. One of which is by handing control back to the user. What that will mean is still somewhat grey, but certainly, it is very clear that where the DPA does not require it, the GDPR will demand that users opt in to any data storage, what the use of that data will be, and that they will have the right to be forgotten at all times. That means no more blanket collection and use of data.

Data Protection Officers

Another way GDPR differs from the Data Protection Act is in the requirements for Data Protection Officers and the impact of compliance on the workplace. At the moment there is no actual requirement for a business to have a DPO as such. As a result, while there is regularly a named person who acts as a DPO, the scope and range of their duties can vary. The GDPR is very clear that a DPO will be required if the business in question has more than 250 employees. Time will tell what is practically used to measure this figure, and I am sure there will be a lot of discussion around areas such as contract workers and so on, but for compliance safety, anyone who is close to this figure should probably look to appoint a DPO as soon as possible.

The reason for this is that the compliance requirement of the GDPR is strict and very much a change from the DPA’s approach of ‘suggested and recommended’ to a much harsher ‘comply and report’ based system. For example, as of May 2018, you will be required to report a breach of your data within a set period, where the current guidance only suggest that this would be an appropriate action.

Demonstrating compliance

The biggest change though is probably in the requirement to be able to demonstrate compliance. As with other compliance based laws (such as fire safety for example) this will mean documentation and in some cases company wide awareness training. Again though, what form this takes may well vary company to company.

The penalties for not complying with the new laws are very stiff indeed and in extreme circumstances could be as high as €20 million. While it is unlikely that these kinds of fines will be handed out regularly, the underlying message is one of increased accountability and hefty fines for those who do not comply. This law is European wide, it applies to anyone who has a presence in the EU, and Brexit will not affect the implementation.

Summary

If you are an employer, then now is the time to be looking to really beef up your cybersecurity and review your current DPA compliance in light of the new regulations. If you are working in the areas affected, then knowledge of GDPR is certainly a good career move. If you happen to be a Data Protection Officer or work in cyber security, then we think you can expect to be in high demand next year.