The EU GDPR (General Data Protection Regulation) comes into law on 25th May 2018. This may feel like a long way away but the obligations contained in the regulation are onerous and businesses need to be getting ready now. The regulation will be applicable immediately once the date arrives so businesses are being given plenty of notice to get systems and processes in place so that they are compliant.
So what’s the GDPR all about?
The GDPR introduces stricter data protection rules for organisations that operate in the EU market and process or hold the personal information of EU citizens. This information ranges from email addresses, passport numbers, financial details, address details through to information relating to an individual’s religious or political beliefs. The GDPR is designed to increase the privacy of individuals and protect their personal data. Hefty penalties will be laid on companies who experience data breaches, some up to €20m depending on turnover and the amount of data being processed. Businesses are well advised to begin now (if you haven’t already started!) putting in place procedures and systems that ensure compliancy and protection against potential data breaches.
As cyber criminals get smarter and find more and more ways to hack into companies’ databases the risk of a breach is increasing all the time. Unprotected companies are not only risking their reputation with their customers but when the GDPR comes into effect they will also be liable to hefty fines in the event of a cyber-attack on their data.
What are the implications for my business?
The GDPR places onerous obligations on companies to demonstrate compliance, requiring them to
- Maintain certain documentation
- Conduct a data protection impact assessment
- Implement data protection by design
- Prove clear consent to process personal data
In the event of a data breach businesses must notify the Data Protection Authorities within 72 hours. All companies will have to adopt internal procedures for handling data breaches. These requirements are applicable to any sized business that processes personal data for a commercial purpose, from a sole trader to an SME to a multinational.
Don’t make the mistake that this won’t apply to your business because of size, turnover or amount of data held. SMEs and smaller business are expected to manage their data flows and processes to the same extent as larger companies. Whilst some areas of the regulation recognise that SMEs have fewer resources and reduced capabilities and may well pose less of a risk to the privacy of EU citizens, SMEs still can’t do nothing. They too have to address the conditions of the regulation and get compliant in as far as is possible.
— Novi (@techbynovi) November 24, 2016
What should I do next?
Inform your Team – Make sure you raise awareness internally of the change in the law. Identify the key people in your organisation that can assist in the journey to compliance and enlist them on the project.
Data review and audit – Conduct an internal review and identify where data is held, e.g. HR records, supplier contracts, financial records etc. Review how data is processed and who has access to it and document the findings.
Review your internal processes – Review your privacy notices and data collection processes to ensure they cover all the rights an individual has, especially around consent to collect and hold their data.
Adopt Privacy by Design – Document and implement methods to ensure that data protection becomes a key component of the internal processes of the company and is seen to be a key consideration in the early stages and throughout the lifecycle of any project – be it a new IT system or sharing of data or using data for new strategic purposes.
Appoint a Data Protection Officer – Consider appointing someone within your organisation to take responsibility ongoing for data compliance and protection.
Secure your Data – Put systems in place to protect your data from a security breach. Map technology to the processes required to ensure compliance on an ongoing basis. Work with a Cyber Security Solutions company who can put solutions in place that will identify weak links in your network that could leave you vulnerable to attack.
Security as a Service to ease the pain
Cyber Security as a Service delivers reliable, high performance and cost effective security as a managed service, taking the headache away from companies.
As cyber threats are continually evolving and criminals find ways to evade systems the changing threat landscape requires specialist expertise and a multi-layer approach. Managing all of this in-house is a real challenge for companies and many of them are migrating some or all of the risk out of their IT departments into the hands of professionals.
Implementing Security Systems is not a once off activity, it requires ongoing monitoring and improvements as the cyber criminal’s modus operandi moves at an alarming rate. A good Cyber Security firm will utilise tools that are highly scalable, support multi-tenant environments and provide robust, single-pane-of-glass management to implement and maintain a secure data environment.
Don’t delay on the GDPR
Although mid 2018 may seem a long way off businesses would be well advised to start planning now! Systems and processes take time to change. You can’t ignore the GDPR and you can’t afford to get it wrong. The countdown has started!