Is your business GDPR ready?: Checklist and countdown
By now, you’ve probably heard plenty of whispers about the new General Data Protection Regulations (GDPR) that will come into force in May of this year. Concerned with protecting how people’s personal information is used by the organisations they provide it with, many have raised concerns about what this new legislation will mean for businesses, and the ways in which they’ll need to evaluate how they collect, store, and share this personal data.
Replacing the Data Protection Act 1998 (originally introduced to the UK as a way of implementing the 1995 EU Data Protection Directive), GDPR is a new set of European data regulations that will bring the UK and EU’s rules regarding data protection in line before Brexit, as well as ensuring that these remain standardised even after Britain officially left the European Union.
“For the avoidance of doubt, Brexit will have no impact on UK adoption of the regulation. Quite apart from the fact that the UK will still be a part of the EU when it comes into force, the Data Protection Bill before parliament implements GDPR in full, meaning that the provisions of GDPR will still apply after Brexit.” – Giulia Foss, CNS Group
The aim of GDPR is to give members of the public more control over how organisations use their data, and they will be more easily able to review stored information on them. As we’ve explained previously, in terms of HR, employees will now be able to know exactly what data is being held by your company, where it’s stored, how it’s used and who it’s used by. They also have the right to have their information amended if required, and the ‘right to be forgotten’ (which means having their information removed from a company’s systems).
For the businesses that hold this personal information, failure to comply with the policies of GDPR will result in a hefty fine. It’s also important to remember that fines for non-compliance are likely to be at their highest when a data breach has occurred. For smaller offenses, this could be up to €10 million or 2% of your global turnover (whichever amount is greater). For more serious offenses, this could be up to €20 million or 4% of your global turnover.
With that in mind, you shouldn’t just ensure that your company’s compliance with GDPR; it’s also vital that you take the necessary steps to prevent breaches from happening, and if they do occur, you should have processes in place to ensure the regulator and any impacted individual(s) are informed of the breach.
“This is the biggest change for 20 years in data protection laws. It affects users living within the EU, and the companies that deal with them (even businesses outside of the EU).” – Lilo
With the new data protection regulations applying to the UK and all EU member states from 25th May 2018, make sure your business is ready for GDPR with our checklist…
4 weeks to go…
Appoint a Data Protection Officer (DPO)
By now you should have already assessed whether you need to appoint a DPO. If you’re unsure, public bodies are required to have a DPO under the new legislation, as well as any organisation that processes or carries out systematic monitoring of sensitive data as a core activity.
In these cases, the DPO is essential as they’ll act as a point of contact for your business’s data subjects, advise you on your data protection obligations, and monitor your internal compliance, amongst other duties. Your business can either appoint a DPO in-house or outsource one from an external company.
Complete a gap analysis
If you haven’t done so already, you should conduct a detailed gap analysis. This will audit your current level of compliance with GDPR and identify anything that needs rectifying before the deadline in May. This will also allow you to create the necessary Article 30 documentation; a record of all personal data processing activities carried out by your business.
Create a register of sensitive data
In order for your business to pass a data audit under the new regulations, you’ll need to be fully aware of all the sensitive/personal data your company holds, where it’s stored, and how the data is accessed and used. The most effective way of doing this is by creating a data register.
Having an internal data register is extremely important because a person’s sensitive information needs to be easily accessible in the event of them requesting to see or amend it.
Secure the personal information you hold
To prevent the likelihood of a data breach occurring (for which you could incur a hefty fine), you should secure all personal data your company holds. You should achieve this through appropriate procedural and technical measures (such as using a secure network when accessing the data, encrypting the data, and creating strong passwords).
To protect your organisation from ransomware and other attacks, TelcoSolutions advises auditing your risk, keeping systems patched, regularly backing-up data, and using antivirus software.
3 weeks to go…
Implement new policies
When completing your gap analysis, you should have also assessed the existing policies your company has in place to respect the rights of individuals when collecting and holding sensitive information. This refers to obtaining consent to collect data, providing privacy notice details, and responding to requests to access data. With the new legislation, you’ll need to ensure you have a procedure in place to provide responses to data requests within a month.
If your existing policies don’t comply with GDPR, now is the time to ensure they’re in line with the new legislation. During this stage, you should also put a process in place to determine whether you require a DPIA (Data Protection Impact Assessment).
Ensure you’re prepared for data breaches
One of the key aspects of GDPR is ensuring that if a data breach is to occur, every party involved in the breach is informed within 72 hours of your business becoming aware of it. To ensure your compliance, you should ensure policies are in place to detect, report and investigate data breaches.
To ensure a smoother process, we also recommend utilising systems that will monitor and report data breaches in real time.
2 weeks to go…
To make the implementation of GDPR as seamless as possible for your business, you should take steps to educate your staff on the importance of data protection, and the basic principles of GDPR that your organisation needs to comply with. Although you should make all staff aware of any new and updated data protection policies, this is especially vital for those that collect and use sensitive information (such as your sales and marketing teams).
You should also communicate any changes to contracts and policies to customers and stakeholders.
Schedule regular audits
To ensure your continued compliance with GDPR, you should ensure you have a schedule in place for regular audits of your organisation’s data processing and security controls. As part of this process, you should also ensure that records of personal data and personal data process are kept up-to-date.
To find out more about preparing for GDPR and how it will affect you, check out our previous blogs and secondary resource: