GDPR is fast approaching – are you prepared?
The General Data Protection Regulation (GDPR) is set to be the most important change in data privacy regulation in over 20 years. With an enforcement date of the 25th May 2018, it is imperative that you start preparing for this change – those in non-compliance could face heavy fines.
Take a look through the GDPR resources below to support, educate and start you on your journey to compliance!
GDPR Explained – what it is and what it means for UK businesses?
With preparation time quickly diminishing, businesses must:
- Know why GDPR has come about
- Understand how it differs from the Data Protection Directive
- Be aware how the new Regulation applies to them
- Recognise the necessary changes to make within their organisation.
GDPR is the new future-proofed European legal framework for the protection of personal data. It has been designed to deliver an improved framework for the rights of individuals and how their data is handled, stored and processed.
GDPR is an EU regulation (a binding legal force that must be applied in its entirety across the EU), and not an EU directive (a legislation that is directed at member states, setting out an objective for all to achieve. Each member state is free to decide however, how to transpose directives into national laws.)
This new legal framework is an expansion of existing principles, but there are some important updates and enhancements, such as the ‘Right to be forgotten’, the ‘Right to data portability’ and ‘Breach notification standards’. This page will delve into some of these key points in further detail.
Brexit doesn’t matter! In or out of the EU, it really doesn’t matter. It is still vital (and best practice) that UK businesses have a good understanding of the regulation and how it applies to them. Come enforcement day, we will not have departed the EU and will thus remain as an EU member state. GDPR will consequently become domestic law here in the UK. That means complying with the new regulatory landscape, or face heavy penalties.
When will this happen?
The countdown to GDPR compliance has already begun! With only a matter of months remaining until the enforcement date deadline of 25th May 2017, it is imperative to prepare your business now for GDPR.
Vulnerabilities lie everywhere and all types of organisation are at risk of a cyber-attack. If you use paper files, now is the time to move to a more robust technology, as there are so many areas with paper that would make you not conform to GDPR compliance, including:
Paper documents can lead a double or triple life – Do you know how many copies of your documents exist? Human handling of documents can result in a complete lack of document control and exposes organisations to data breaches. While physical copies of documents exist, they can be easily copied and stolen, with evidence trails hard to follow.
Can you easily find all the information you need? – If you can’t find all the information held on an individual, how can you comply with GDPR? Do you know where it is? Is it all in the same place? Is it kept externally or internally in the building? Are you confident you’ve got it all? Searching and retrieving paper files is a time consuming and costly exercise.
Can your documents be kept private? – Privacy is stressed in the GDPR and it is far easier to maintain when paperwork isn’t involved. Paper documents can easily get into the wrong hands, which could easily become a data breach.
Can you accurately manage retention periods? – Organisations regularly make printed copies of digital files. If a digital file is destroyed and a paper version still exists somewhere, compliance with the GDPR is potentially affected.
Key elements of GDPR to be aware of:
Privacy by design: Promote privacy and data protection from the start – don’t ‘bolt’ it on as an after-thought or ignore it altogether. Show strong compliance by evidencing all communications and involvement that you have had with a client as well as controlling who has access to what data.
Data quality and accuracy: It is unacceptable under GDPR to hold inaccurate and irrelevant information. Consider what information you hold and whether it is absolutely necessary. If it isn’t, simply delete it. All relevant information needs to be kept accurate as far as it is reasonable.
Accountability & data breach reporting: A personal data breach is not simply the loss of data but a breach of security, resulting in destruction, loss, alteration, unauthorised disclosure of or access to personal data. As a data controller, you must inform the relevant supervisory authority, as well as affected individuals within 72 hours of learning of a personal data breach. As a data processor, we will notify our clients immediately upon identification of such an instance.
Data portability and the right to be forgotten: The right to data portability allows individuals to move, copy or transfer personal data easily and securely from one IT environment to another. If an individual wished to leave for a competitor, their data would need to be made freely available to the new firm without undue delay (within one month). The right to be forgotten enables an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
The right of access – data handling and processing: Both current and legacy customers are able to request access to the data you hold on them. How will you comply if you are faced with this request – do you know what information you hold and where it is stored? Could you fulfil within one month?
Only contact individuals who have expressively granted consent to do so:
Customers must grant permission before you use their data – they must also know what it will be used for – the right to be informed. Be clear and precise about your intentions.
Taking the first steps to GDPR compliance:
This is just a snapshot of some of the key changes that are soon to be implemented. Fundamentally, you need to break things down into bite-size chucks and not get overwhelmed. Understanding GDPR may appear daunting and complicated, but it needn’t be – preparation is the key:
- Understand what data you collect as an organisation, and what is actually of use.
- Don’t keep unnecessary data which can soon become outdated – this will only lead to trouble.
- Map your data – what do you use, where is it held, where did it come from, who can access it, what do you use it for, who do you share it with, etc.
- Review the technologies used in your business. Is it fit for purpose? A staggering 32% of businesses doubt they have the right technology to cope with requirements of GDPR. Don’t become a statistic and start preparations straight away.
- Start to get more familiar with the regulation – again, taking it in bite-sized chunks.
- Embrace privacy by design.
- Form a gap analysis – where are the gaps in your compliance. Prioritise.
- Set up a cross-disciplinary project team.
- Review processes and procedures, editing and creating where necessary – privacy notices, data processing procedures, consent processes, breach notification processes, etc.
- Get the Board on board – this is fundamental.
What’s the impact of not complying?
Failure to comply, could lead to a fine of up to 4% of your organisation’s global annual turnover and your company’s reputation damaged beyond repair. Reduce the risk and start preparing today!
Watermark’s solutions can help you comply
How you store, handle and process data moving forward, is key. Contact us today to discuss how our solutions can keep you on the right side of GDPR.
(Sources: The Information Commissioner’s Office, Infosecurity Magazine – GDPR: One Year and Counting)