Set to be enforced from May 2018, the General Data Protection Regulation (GDPR) will place stringent demands on the way organisations handle personal data from European residents. The May deadline for GDPR compliance may seem like a long way off, but given the complexity of change it will require in the way organisations handle personal data, it’s really not. Preparing for the GDPR should be high on the agenda for any organisation that processes personal data.
The increased obligations that the GDPR places on companies might cause some anxieties for business planners. Although many of the main concepts and principles of GDPR are much the same as those in the current Data Protection Acts 1988 and 2003 (the Acts), the GDPR introduces new elements and significant enhancements which will require detailed consideration by all organisations involved in processing personal data.
Some elements of GDPR will be more relevant to certain organisations than others, and it is important and useful to identify and map out those areas that will have the greatest impact on your business model.
10 simple steps to take now
So, what can companies do to ensure they are compliant by May 2018? Here are 10 simple steps organisations can take:
1. Raise awareness
It is important to ensure that all the important decision makers within your organisation are aware of the implications of GDPR and what it means to their everyday operations.
2. Establish how your organisation deals with data
You should document what personal data you hold, where it came from and who you share it with. Auditing your current methods is one of the best ways in which to prepare for GDPR, meaning that a thorough understanding of how your organisation deals with data is paramount.
3. Examine every facet of data handling in your organisation
It’s important to establish where personal data is being stored, before assessing the security of that location, who is responsible for controlling that data, and whether it is being shared.
Getting your IT department involved with this process is crucial and will give you a better idea of the current capabilities of your organisation.
4. Examine previous breaches
Examining any previous data breaches to your system will give you a clearer idea of your organisation’s capabilities in reacting to future attacks, and offer a better picture on whether those procedures are capable of meeting future requirements.
One of the standout measures set to be introduced under the GDPR is that data breaches will need to be reported within 72 hours of being discovered, along with information detailing the nature and severity of the attack.
5. Appoint a data protection officer (DPO)
The GDPR will require some organisations to designate a Data Protection Officer (DPO). Organisations requiring DPOs include public authorities, organisations whose activities involve the regular and systematic monitoring of data subjects on a large scale, or organisations who process what is currently known as sensitive personal data on a large scale.
The important thing is to make sure that someone in your organisation, or an external data protection advisor, takes responsibility for your data protection compliance and has the knowledge, support and authority to do so effectively. Therefore you should consider now whether you will be required to designate a DPO and, if so, to assess whether your current approach to data protection compliance will meet the GDPR’s requirements.
6. Be aware of rules surrounding the rights of individuals
One of the key takeaways from GDPR is the strengthening of rights for individuals, including how you would delete personal data or provide data electronically and in a commonly used format. Businesses are obliged to promote these rights, so it is important to ensure there are procedures in place to make this possible. Rights for individuals under the GDPR include:
- Subject access
- To have inaccuracies corrected
- To have information erased
- To object to direct marketing
- To restrict the processing of their information, including automated decision-making
- Data portability
On the whole, the rights individuals will enjoy under the GDPR are the same as those under
the Acts, but with some significant enhancements. Organisations who already apply these
principles will find the transition to the GDPR less difficult.
7. Get educated on consent
The GDPR aims to offer more clarity when it comes to the issue of consent. New measures will require companies to gain an explicit statement or “clear affirmative action” when it comes to data processing.
Companies will be subject to new measures restricting the ability of children to give their consent to data processing without parental permission. It is, therefore, worth examining what practices are already in place when it comes to making data subjects aware of how their information is going to be used and processed.
8. Identify your lead supervisory authority
Many of the organisations affected by GDPR will be operating internationally. It is important to establish where significant decisions regarding data processing are made, in order to know which data protection supervisory authority takes the lead when a complaint is investigated. Your lead supervisory authority is determined by the location of the organisation’s main administration in the EU.
9. Allocate more resources
All of these considerations can place a great deal of strain on an organisation’s infrastructure, so it is therefore essential that companies allocate added resources in which to meet these demands.
Beginning in May 2018, all businesses housing data from European residents will have to abide by the EU GDPR. If companies don’t abide by the rules defined by GDPR, they’ll be fined 20 million Euros or 4% of their annual turnover.
10. Data Protection Impact Assessments (DPIA) and Data Protection by Design and Default
You should familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessments (PIAs) and work out how to implement them in your organisation. This guidance shows how PIAs can link to other organisational processes such as risk management and project management. You should start to assess the situations where it will be necessary to conduct a DPIA. Who will do it? Who else needs to be involved? Will the process be run centrally or locally?
It has always been good practice to adopt a privacy by design approach and to carry out a privacy impact assessment as part of this. A privacy by design and data minimisation approach has always been an implicit requirement of the data protection principles. However, the GDPR will make this an express legal requirement.
Note that you do not always have to carry out a PIA – a PIA is required in high-risk situations, for example where a new technology is being deployed or where a profiling operation is likely to significantly affect individuals. Note that where a PIA (or DPIA as the GDPR terms it) indicates high-risk data processing, you will be required to consult the ICO to seek its opinion as to whether the processing operation complies with the GDPR.
Lastly, speak with legal counsel before dealing directly with this process, and get legal advice from practitioners who deal with the EU GDPR to validate that you’re working appropriately to secure your business and your European customers’ data.
LINK: Read more about GDPR and how a virtual CISO can help out