By Brendan Fay, COO, Ward Solutions
General Data Protection Regulation (GDPR) comes into force on 25th May 2018, less than six months’ from now. Through its work with Irish companies, Ward Solutions, Ireland’s leading information security provider, has identified a number of key areas that businesses are struggling with and which need focus as the deadline for compliance approaches and has outlined where it thinks companies should be in terms of their own preparations.
Current data protection legislation provides a guide towards GDPR
Companies wondering where to start their compliance journey should first take heed of current data protection regulation. Organisations that already have systems in place and are compliant with current regulations are well on the way to GDPR compliance. The key difference between current regulation and GDPR arises when it comes to the accountability requirements under GDPR which require organisations to provide evidence of how they comply with the new obligations. Irish businesses need to take this into account, but Ward’s experience is that those that comply with existing regulation are well on the way to fulfilling these obligations.
Large organisations almost out of time
Small companies may still have time to get the appropriate systems and processes in place to achieve compliance to the regulation. However, larger organisations that process a lot of personal data and require a significant amount of information governance will face a number of challenges in this area, which could make achieving compliance ahead of next May’s deadline very difficult.
Appointing a Data Protection Officer a challenge
Throughout our work to date in helping companies to achieve compliance with GDPR, Ward Solutions has found that many companies are struggling to appoint a Data Protection Officer (DPO). The role of the DPO is extremely complex, and whoever holds the position must have expertise in national and European data protection laws and practices, including an in-depth understanding of the GDPR; an understanding of the processing operations carried out by their organisation; a thorough understanding of information technologies and data security; advanced knowledge of both the business sector and the organisation; and the ability to promote a data protection culture within the organisation.
The DPO will consult and monitor the ongoing GDPR compliance of a business. Come May 2018, they will be the main point of contact between the organisation and the supervisory authority. In Ward’s experience, the DPO is the go-to person for driving the data protection compliance programme within an organisation.
GDPR necessitates a culture shift within organisations
GDPR will necessitate a culture shift within organisations. No individual technology can guarantee GDPR compliance. Ultimately, compliance will be brought about from a combination of people, processes and technology. Established processes such as the storage and sharing of unstructured data, such as personal data contained within excel spreadsheets, must be reviewed.
Organisations need to act now to move away from unstructured data, consolidate their systems and build personal data management systems that will enable them to better track personal data the flow of personal data through their organisation.
Data retention causing confusion
Another area that is causing confusion for businesses is the area of data retention. Companies are finding themselves confused by the requirements to ask newsletter subscribers to give their consent again to remain on mailing lists, to delete contacts for which no lawful basis can be found for possession of their personal information or for which there is no longer any business need. Some companies may have good information governance processes in place, and therefore this may not be an issue. However, organisations that are unclear on their obligations should seek guidance from a third-party specialist.
Limited time remaining and much still to do
The time remaining until the legislation comes into force is limited, and the time required for culture change, for moving unstructured data, for performing risk assessments and deleting information that should not be retained can be quite significant. Large organisations that are seeking to develop personal data management systems and compliance portals may require even more time than they anticipate, as these initiatives are likely to require sign-off from senior management prior to being rolled out on a company-wide basis.
Specialists like Ward Solutions are on hand to steer companies towards compliance, but those who fail to act now could find themselves exposed to substantial fines of up to €20M or 4% of global turnover, depending on which is greater. Ultimately, the key thing for Irish businesses to realise is that they need to get moving now to safeguard their futures beyond May 25th, 2018.