GDPR: Getting Data Protection Right (Part Three – Data Security)
This is Part Three in Mills & Reeve’s series of blogs about Getting Data Protection Right.
Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. You have to use appropriate technical and organisational measures to achieve that data security.
Where an organisation’s computer systems are hacked, it is usually as a result of a failure to meet this obligation.
To support data security, the GDPR also restricts transfers of personal data outside the EU and requires a whole raft of provisions to be included in any contract under which personal data are processed by one organisation on behalf of another. This requirement applies to contracts you have now that will last beyond 25 May 2018.
Practical steps to take now
- Review who in your organisation has access to records containing personal data (particularly any records containing special categories of personal data) and determine whether it necessary for everyone who currently has access to retain it.
- Consider whether pseudonymisation and encryption of personal data would be sensible – the GDPR and accompanying guidance published to date refer specifically to this.
- Plan staff training updates to emphasise the importance of data protection within your organisation.
- Ensure any contracts that your organisation has where personal data are transferred to another organisation – which happens where you use a cloud-based software system, for example – are GDPR-compliant and contain the mandatory provisions for data processing contracts. The ICO’s guidance on this can be accessed here.
At Mills & Reeve we offer a range of products and services relating to GDPR-readiness and data protection – to find out more please contact one of our data protection experts Paul Knight, Sarah Whyman or Edward Hadcock.