GDPR: Getting Data Protection Right (Part Three – Data Security)

GDPR: Getting Data Protection Right (Part Three – Data Security)

This is Part Three in Mills & Reeve’s series of blogs about Getting Data Protection Right.

In Part One we looked at lawful processing, and in Part Two we focused on transparency. In this Part Three, we focus on data security.

Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. You have to use appropriate technical and organisational measures to achieve that data security.

Where an organisation’s computer systems are hacked, it is usually as a result of a failure to meet this obligation.

To support data security, the GDPR also restricts transfers of personal data outside the EU and requires a whole raft of provisions to be included in any contract under which personal data are processed by one organisation on behalf of another. This requirement applies to contracts you have now that will last beyond 25 May 2018.

Practical steps to take now

  • Review who in your organisation has access to records containing personal data (particularly any records containing special categories of personal data) and determine whether it necessary for everyone who currently has access to retain it.
     
  • Consider whether pseudonymisation and encryption of personal data would be sensible – the GDPR and accompanying guidance published to date refer specifically to this.
     
  • Plan staff training updates to emphasise the importance of data protection within your organisation.
     
  • Ensure any contracts that your organisation has where personal data are transferred to another organisation – which happens where you use a cloud-based software system, for example – are GDPR-compliant and contain the mandatory provisions for data processing contracts. The ICO’s guidance on this can be accessed here.

At Mills & Reeve we offer a range of products and services relating to GDPR-readiness and data protection – to find out more please contact one of our data protection experts Paul KnightSarah Whyman or Edward Hadcock.

GDPR: Getting Data Protection Right (Part Four – Individuals' Rights)

GDPR: Getting Data Protection Right (Part Four – Individuals' Rights)

Football Club trade marks, a cautionary tale from Dulwich Hamlet FC

Football Club trade marks, a cautionary tale from Dulwich Hamlet FC