The GDPR is set to come into effect in six months’ time (25 May 2018), and it is vital for businesses to get to grips with what it is and how they must prepare, as many are still unsure of what they must do.
What is the GDPR?
The GDPR is the biggest change in information security legislation since the Data Protection Act of 1998, and is part of an EU policy that aims to make companies accountable for the security of the data they hold, and enforce serious fines if they do not measure up to the new standards of responsibility.
The legislation will give comprehensive oversight on all data-related issues, and will affect almost every business that deals with customer and personal data on any level ensuring that data will be handled with transparency, competency and accountability.
Customers and clients should be able to easily find out what data companies have about them, how they use it, how they protect it, why they need it and who they might share it with. The legislation recognises the value of data, both in terms of personal privacy, and data as a resource which can be bought and traded.
The GDPR will ensure that data will be;
- Collected legally with explicit consent for terms of usage and sharing
- Stored and processed safely and with limited retention
- Protected against breaches, and that any data breaches are reported immediately and contained responsibly
People are often careless to undermine security measures taken by most business online. For instance, they find security processes to be frustrating and time-consuming because we often expect convenience and speed.
What happens if you aren’t ready?
If your company fails to comply with the GDPR you could be at risk of huge fines; up to €20 million or 4% of global turnover (whichever is greater).
How should you prepare?
Assess where you are now, and how much work you will have to do to get your company in line.
1. Data Collection
You must begin by asking some questions about how you get your data:
- What consent to do receive when you collect personal data from your customers and clients
- How long can you hold the data?
- Can you share it? If so, with whom?
- How do you use the data?
For marketing uses, both B2B and B2C, email and SMS recipients must now be explicitly opted-in. For profiling purposes you will also need explicit consent, and to make it very clear how profiling will take place and what automated decisions would be made based on the profiled criteria.
2. Storing and Processing Data
You need to conduct a risk assessment of how data is used and how it moves about your company, evaluating:
- Where is data held? Where is it sent around your company?
- Who has access to the data? What level of skills, clearance and training do they have?
- How sensitive is the data (personal, sensitive, anonymous)?
- What 3rd parties is the data shared with? How is it transferred?
- What agreements and contracts do you have with data processors and CSPs?
- Where are your Cloud servers? What is your Cloud security like? What encryption is used? Does it include mobile devices?
- How secure is your technology? Are there adequate firewalls and virus protections?
- Is there a clear password policy? Is it enforced?
- What do you do with your data when you aren’t using it? What are your data elimination policies?
Who is responsible for answering these questions?
The GDPR centres around responsibility and accountable dealings with data, and you must have someone in your organisation who is responsible for issues of compliance and data security, this will be your Data Protection Officer (smaller companies can use consultancies to outsource this responsibility).
A Data Protection Officer is required in companies where:
- The data processing is carried out by a public body, except for courts operating in their judicial capacity
- The ‘core activities’ of the data controller include ‘regular and systemic monitoring of data subjects on a large scale’
- The processing of sensitive data on a large scale
You also need to ensure that all your staff understand your Data Safety Procedures
3. Repairing and Reporting Data Breaches
You must be able to prove you have done everything within your power to reasonably protect against breaches, but if one does occur, whether it is due to a hacker, inadequate security or human error you must have a procedure in place to deal with it.
- You should have good information governance procedures, meaning that you know what data you hold, so should some of it be leaked, you know how bad a situation you are dealing with.
- If a breach happens you must inform your staff, your customers (whose data has been affected) and the Information Commissioner’s Office (and/or the data protection body of any other EU country whose citizens it affects).
- You also need to have in place a good Breach Management Process that all your staff are aware of, in order to minimise the damage caused. The ICO will impose more severe penalties on organisations that have inadequate breach management processes as this will be seen as a systems and control failure.
This may not be an exhaustive preparation list, but by starting to assess your position and vulnerabilities now means that you will be a secure position by the time the GDPR comes into effect.
Learn how E-Sign could improve your data compliance with regards to the GDPRFind out more
For information on GDPR, please visit: