GDPR comes into play throughout the UK and the EU on the 25th May 2018. With 4 months to go, only 40% of IT professionals in the UK have started their preparations. Shockingly, 15% of them have no intention of preparing before the ever-encroaching deadline arrives. The IT industry is not in an ideal position.
There is lots of uncertainty around GDPR; what it’s for, who it affects, etc. So, in this blog we aim to clear up any confusion and give you some practical steps that you can take towards being compliant.
The current Data Protection Act was passed by Parliament in 1998 to control the way information is handled, as well as to give legal rights to those people that have information stored about them.
1998 was before the evolution of broadband, before the adoption of handheld technology, and before the birth of social media. When we think about it, it’s no wonder it needs an upgrade, particularly when we consider how much personal information we share on social media sites, and the level of access businesses have to this.
The new GDPR regulation is a comprehensive uplift on the Data Protection Act 1998, and is aimed at standardising data protection throughout the EU, and for organisations that handle data on EU citizens. Compared to the current Data Protection Act, GDPR places considerably more emphasis on individuals being able to control their personal data, holds companies accountable for the personal data they hold, and ensures that consent is much clearer.
£17 million or 4% of global turnover (whichever is greater) – that’s what companies could face if they fail to comply with GDPR. There has been plenty of scaremongering going on – the potential fines appear to be more important than the legislation itself. This has been deliberately communicated as a catalyst for compliance, particularly to those companies that hold huge quantities of personal data.
The fines may seem like a big deal and whilst the prospect of them shouldn’t be ignored, the ICO won’t be handing out fines haphazardly. In 2016/17 only 16 of the 17,300 concluded data breach cases resulted in fines for the organisations involved, and the ICO is yet to hand out it’s current maximum fine of £500,000.
Undoubtedly, the biggest impact GDPR will have on businesses is time, especially for those that are yet to start the compliance process. Achieving compliance is not difficult, but it is time consuming; working though all the steps and documenting them can take several months. However, once you’ve achieved compliance, the correct processes will be in place along with clear actions to follow for continuous compliance.
You should make sure you have up-to-date asset registers, and that you know what data you hold and where it is. You need to ensure that all data has classifications and a documented reason for processing.
Once you understand what data you have and where it is kept, you’re able to analyse risk. As an example, your most classified data might be stored in a non-compliant country or might be accessible to everybody in your organisation. Once you’ve identified the risks, you can begin mitigating them.
Data protection should be a prioritisation for everybody in an organisation. Your staff need to be trained regularly and kept up-to-date with your company policies – it might be worth appointing a Data Protection Officer to help do this (regardless of whether GDPR requires you to do so). You should also review your policies, particularly consent forms, and ensure that you have processes in place ready for when you implement a new technology or data process.
You need to make sure your organisation is secure – malware protection, encryption, firewalls, anti-virus, and regular patches are all crucial. These technical controls should complement and underpin your organisational controls. Depending on the type of data you handle and the nature of your business, you may need to invest in more advanced technology to help keep your data secure.
Remember, even the most protected organisations will suffer data breaches. The most important aspect of GDPR is that you’re doing everything you can to protect the data your organisation holds. If you haven’t yet started the compliance process, we recommend you start now – GDPR compliance is not difficult but is time consuming!
Please select the relevant option: