The countdown to the General Data Protection Regulation (GDPR) is underway. The new regulations will cause disruption to how businesses store, manage and process personal data. Businesses need to respond now, to make sure they are compliant by May 2018.
How does this affect my business?
Any company who processes consumers’ personal data will need to comply with the new obligations. That means firstly understanding the changes to the existing processes under the new rules:
- Consent – do you have explicit consent from individuals for the data you hold about them?
Under the new rules the requirements have been tightened significantly. Requesting consent from a consumer to process their personal data must be unambiguous.
- New responsibilities - are you a data processor or data controller responsible for processing personal data?
Under the GDPR, data processors will have greater legal liability and are required to maintain records of personal data and processing activities. There are also further obligations on controllers to ensure that any third-party contractors also comply with the GDPR eg cloud hosting or outsourcing.
- Accountability – do you have a data protection programme and are you able to provide evidence of how you will comply with the requirements of the GDPR?
Organisational and technical measures to protect personal data are now the responsibility of the data controller and data processor - data protection and privacy requirements should be built into the development of your business processes and systems.
- Mandatory breach notification – would you be able to notify a data protection supervisory authority of a data breach within 72 hours?
You will need internal processes that allow you to report and manage communications with affected consumers quickly and accurately.
- New rights – do you know how you will comply with the new rights; the right to be forgotten, the right to data portability, and the right to object to data profiling?
You will need processes in place to comply and reassure that these rights have been adhered to (including notifying third-parties).
- Data protection officers – do you conduct large scale systematic monitoring (including employee data) or process large amounts of sensitive personal data?
Where large scale processing of data is evident a dedicated Data Protection Officer needs to be appointed.
Do you know what data you hold and where is it?
Organisations often underestimate the amount of customer or client data that they hold. This therefore means that they are underestimating the potential impact and reach of the GDPR.
If organisations do not know what data they hold and where it is, the risk of non-compliance and subsequent penalty is substantial. This is because the new rules which come into force in May 2018 introduce a number of new stipulations and repercussions for firms that are not managing data adequately.
It is imperative that organisations are examining not only their primary source of customer and client data (for example customer relationship management systems and marketing systems), but all its sources in all forms.
Data can be generated or stored in the following places:
- current IT systems;
- portable media devices;
- mobile phones;
- mobile data storage ie USBs and external hard drives;
- network folders;
- spreadsheets (and other such static documentation);
- emails and archived inboxes;
- other external communications;
- social media postings;
- back-up tapes;
- secure drop boxes;
- web sites;
- decommissioned systems and IT hardware; and
- hard copy documents and archives.
This is a list of just some of the things that may need to be considered.
The implications of this are on a staggering scale when considering the size of organisations in some markets today and the volume of data storage they hold.
Where do you go from here to defend yourself against non-compliance?
As part of the readiness review that all firms should now be carrying out, there should be an audit of all data sources across the entire organisation so that reasonable steps can be taken to mitigate against risk.
Education of all staff will also be pivotal to continued compliance with these regulation developments. Responsibility for maintaining integrity of data cannot just sit with an IT department who maintain the systems that hold data, it must reach across all those departments that acquire, generate and use data.
How we can help
Our specialists can help you to ensure compliance in the first instance, and provide the evidence to prove it in the second. Through robust analysis we will identify any risks and implement processes and systems to ensure compliance:
- GDPR gap analysis
- Privacy Impact Assessment
- GDPR awareness sessions
- Breach management processes
- Security monitoring and reporting