Epsom 22 November 2016 – With the EU’s General Data Protection Regulation (“GDPR”) coming into force by mid-2018, Kroll Ontrack, the leading provider of data recovery and ediscovery products and service, warns organisations to renew their focus on data management to ensure preparedness.
The GDPR will apply to businesses and organisations in the U.K. for the following reasons:
Firstly, by mid-2018, the U.K. will likely still be an EU member state and will be required to apply EU law; and secondly, the GDPR applies to all businesses and organisations that are offering goods and services to EU citizens, monitoring the behaviour of EU citizens, or processing personal data by establishment in the EU. With such broad scope, a majority of U.K. organisations will need to pay careful attention to the GDPR and prepare.
Regardless of politics, legislation surrounding data protection has been in need of attention to acknowledge and incorporate the reality of a data-driven world. Modern businesses and organisations collect and analyse personal data, consumers entrust businesses with their personal data when shopping online, and organisations need to regularly dispose of end-of-life media containing potentially sensitive data. Data protection regulations require that such personal data be kept secure, and where it is no longer needed, it must be securely and permanently sanitised from equipment.
The GDPR has teeth, and in the most serious cases, those found in breach of it face fines of up to 4 per cent of their global turnover or €100m. For many organisations, such fines could spell financial ruin.
Lawrence Ryz, Legal Counsel at Kroll Ontrack commented “The GDPR dictates data minimisation which requires organisations to only process personal data that is strictly necessary. This is a far more onerous requirement than the current regime that operates under the Data Protection Act 1998 – derived from the Data Protection Directive – where processing of personal data needs to be “adequate and not excessive”. The GDPR also formerly enshrines the principle of the right to be forgotten. This means that companies must have the ability, access and processes in place to erase data quickly and securely, for instance where personal data is no longer needed for the original purpose or the data subject objects to processing personal data and there are no other grounds for continuing the processing. Regardless of where data is located – computers, server rooms or in the cloud – secure and complete data erasure of personal information must be part of data protection processes.”
Ryz continued “To successfully make the changes required by the GDPR, businesses should look to implement and update data retention and erasure processes and policies, applying these to the everyday workings of businesses to ensure a culture and methodology for compliance. This can be led by the senior members of a business and flowed down to all employees as well as to suppliers. ”
Judith Massey – Judith.Massey@citigatedr.co.uk
Matt Pears – Matthew.Pears@citigatedr.co.uk
Emma Castle – Emma.Castle@citigatedr.co.uk
+44 (0) 207 638 9571