search.noResults

search.searching

note.createNoteMessage

search.noResults

search.searching

orderForm.title

orderForm.productCode
orderForm.description
orderForm.quantity
orderForm.itemPrice
orderForm.price
orderForm.totalPrice
orderForm.deliveryDetails.billingAddress
orderForm.deliveryDetails.deliveryAddress
orderForm.noItems
32 www.glasgowchamberofcommerce.com


Crackdown on data security is about to get personal


O


ver the past few years the Information Commissioner’s Office (ICO) has been showing its teeth by


enforcing large fines for organisations that have breached the Data Protection Act 1998. In 2016, TalkTalk received the largest fine, £400,000 for sloppy data security by failing to prevent an attack on its system, while a year later Keurboom Communications received the same fine for making 100 million nuisance calls without people’s consent. However, from 25 May this year, the penalties for data breaches have become far more onerous as the General Data Protection Regulation (GDPR) comes into force. This new law gives the ICO the power to exact a two-tiered sanction regime: “lesser” incidents will be subject to a maximum fine of either €10 million or 2 per cent of an organisation’s global turnover, whichever is greater; with the most serious breaches resulting in fines of up to €20 million or 4 per cent of turnover. Under the new GDPR sanctions, TalkTalk’s fine for security failings would have reached £59 million, according to a study last year by NCC security consultants.


DATA DEFINED


Personal data: information that can be used, directly or indirectly, to identify a living person, such as name, address, IP address etc. It can also include pseudonymised data if it can be used to identify a person. Sensitive personal data:


information that goes beyond simple identity and is personal to that person, such as race, religion, sexual orientation, political views, health details etc.


So, in addition to larger fines for data breaches, what new obligations does the GDPR put on organisations that hold personal information? The main principle behind GDPR, which is being introduced to harmonise data protection law across the EU, is to give individuals greater protection on how their personal information is collected, used and shared by organisations. The growth in the use of social media and mobile phones


has resulted in much more personal information being captured from people. This was not envisaged in the original data protection act and that is why GDPR has widened the definition of personal data to include online identifiers such as IP addresses and mobile device identity.


GDPR will require organisations to be more accountable for their handling of people’s personal information, with formal data protection policies, data protection impact assessments and formal documents on how data is processed. For companies employing 250 people or more, documentation is required which states why people’s data is collected and processed, what information is held and for how long, and the technical measures employed to keep the information secure. For larger companies that collect a lot of sensitive data as part of their business there is a requirement to employ a dedicated data protection officer. Under DPA, only “data controllers” – those organisations which decide the purpose, and the manner in which personal data is used – were subject to the law, but under GDPR “data


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48