The new European General Data Protection Regulations (GDPR) will become law on 25 May 2018. The GDPR has come into being as a reaction to the rapid technological advancements that have been seen since the launch of the Data Protection Act in 1998, and also to standardise and harmonise legislation across the EU.
Regardless of the effect of Brexit, all companies which hold data will have to comply with the GDPR. Firstly, the legislation will come into force while the UK is still part of the EU. Secondly, even post-Brexit, businesses will still have to demonstrate compliance if they wish to work with the remaining EU member states. And finally, it is widely expected that the principles of GDPR will be enshrined in UK law once the UK leaves the EU.
Two of the most widely commented principles of the GDPR are the new levels of consent that must be granted for personal information to be held and also the rights that citizens will have to request that their personal data is forgotten, i.e. permanently deleted.
Specifically, companies will no longer be allowed to hold data that hasn’t been lawfully collected using specific levels of ‘opt-in’ consent, under wording which is clearly understandable. Any personal data that has been collected without this higher level of consent being granted will, therefore, not be viewed as compliant. In which case, either consent must be granted retrospectively or the data must be deleted.
Individuals will also have the right to request the erasure of their data, if it is no longer being held for current and demonstrably compliant purposes. This is also known as the ‘right to be forgotten’. There are some circumstances under which a company may be able to refuse an erasure request, but the onus is then on that company to prove why they need to keep the data.
Under GDPR, penalties of up to €20 million or 4% of annual turnover, whichever is highest, can be imposed for compliance failures. Therefore, it is now becoming a widely accepted practice for firms to audit the data that they currently hold to ensure that it has been obtained and stored correctly, and is still necessary, before GDPR comes into force.
BTG Advisory’s Forensic Technology team can help you adhere to these new stringent data protection regulations. Our specialist software can thoroughly search your entire network and databases for even the most specific data, and its corresponding links. Often knowing exactly where data is held can be an extremely complex task, especially for businesses that use data-heavy resources and/or data is shared between systems or employees. Although you may believe that all data has been located and removed, this is often only the top level of visible data and there is further data stored elsewhere in back-up files and other less discernible locations. Once our systems have identified all iterations of non-compliant data, this can then be securely deleted via overwriting to ensure that data recovery is not possible.
Contact BTG Advisory to find out more about our secure data mining and deletion services.