The GDPR covers any information processed by your organisation in regard to a natural person or data subject. In plain English that’s any identifiable person that is still alive. The GDPR covers personally identifiable information (PII) and includes any set of information that can be used to identify a Data Subject including (but not limited to) names, addresses, email addresses and financial data.
Yes! It’s as simple as that – it applies to every organisation in the UK and Europe irrelevant of the outcome of Brexit talks.
The GDPR covers the collection, processing, storage and destruction of sensitive data. We’ll cover compliance in more detail in a future email but for now there are some very important principals:
It means you need to know your data in a way you have probably never considered before. You need to understand your entire data lifecycle and ensure you are compliant at each stage.
This can all seem a bit daunting and in truth, there is a lot of work to be done. However, it can be broken down in to manageable steps – the key is documentation! Businesses have until May 2018 to ensure compliance so there is absolutely no need to panic.
We’ve broken this down in to four concepts you need to consider:
The two most critical bits here are people and policies. There is no magic technological fix to the GDPR. Training, policies, procedures, and written contracts will always trump technical intervention. That’s not to say technical controls are superfluous. There are times when technology is absolutely the answer but technology should be implemented to address a specific risk that is not addressed by people and policies.