Though many businesses may find the GDPR guidelines tedious and demanding, it should actually be seen as an opportunity to renew the focus on data security. The EU’s own data protection directive is now over 20 years old and given the evolution of technology during this time, this update is timely and very much needed – particularly given the growing number of cyberattacks.
We’re leaving the EU, is GDPR still relevant for us?
GDPR is due to come into force by mid-2018 so we will still need to comply with it because:
- We will still be an EU member state at that time
- GDPR applies to all businesses serving EU citizens, or located in EU. Recently the Information Commissioner confirmed in October that that UK Government will be implementing the GDPR.
Businesses looking to do more business with the rest of the world will stand in good stead if adhering to GDPR as the benchmark for protecting data.
What data needs protection?
Whether we like it or not, we are becoming an increasingly data led world. Keeping data safe and secure is crucial, but one way to facilitate data protection is to reduce the amount of data stored.
GDPR stipulates how to protect data as well as what data should be kept. The most popular aspect of this is the right to be forgotten. This means that companies must be able to erase data quickly and permanently – a much more resource-intensive obligation than the current requirements of the Data Protection Directive. Erasing data properly from all storage devices, including servers, the cloud and old desktop computers sent for recycling should all be part of the process.
To successfully implement GDPR, businesses need to review and update their process and policies into the everyday workings, from the CEO to the most junior members of staff as well as third parties.
7 steps to get GDPR-ready
When preparing to adhere to GDPR, there are seven points you should consider. Let’s review each one in detail.
1. Start preparing now.
An investment in time and resources will be required to research, implement new processes and ensure buy in to the process of change from across the business. As this will most likely be a time-consuming process that will involve several people in your organisation, it is best to start preparing as soon as possible.
Some questions you should ponder on when deciding what changes are required in your business include:
- Are your internal data processing and record-keeping practices compliant?
- Does your current technology adhere to EU GDPR requirements?
2. Find out what and where your data is.
Do you know all the locations where you store customer data, including the physical, virtual and logical places? It’s important to understand the personal data that you have, what it is needed for and where it is stored. Performing a comprehensive audit of this will take time and resources but this work will need to be scheduled anyway, and it’s better if this occurs sooner rather than later.
3. Get rid of data you no longer need.
Only hold on to data that is necessary and relevant to your business. Remember, you are responsible for protecting all the data that you hold so if you no longer need it, then it’s best to get rid of it.
Bear in mind that when you sell, resell or rent IT equipment and ‘smart’ devices that store user data, you should ensure all data is securely removed before these are reused. It is best to use verified solutions so your data erasure process is secure and reliable.
4. Make sure you involve the right people.
Each organisation is different and therefore who will need to be involved in the implementation and on-going management processes will vary. Departments that should be involved, regardless of the nature of the business, include IT, Legal and Human Resources.
For some companies, it will make sense to designate a Data Protection Officer but this is not mandatory by the GDPR. A Data Protection Officer might be the right choice for your business, but equally it might be more suitable to set up a committee with shared responsibilities.
The main thing that needs to happen though, is that action is taken and all key stakeholders and decision makers are made aware of and understand the impact of the new legislation.
5. Let stakeholders know of the implementation.
As with any change in processes, this must be communicated to everyone to ensure it will work. You may need to develop special communications to inform all employees and customers. They need to be aware of the changes early enough in the process to afford you time to amend processes if needed.
6. Understand the changes required.
The right to be forgotten means you will need to put a process in place for deleting individuals’ information on request. This will likely be an expensive process and you will need to provide proof to the customer that you have in fact deleted all their information. You should be prepared to have a process in place to respond to these requests in as efficient a manner as possible.
Make sure you understand the legal basis for processing your data, and that you are able to document it. You may need to present proof on demand that you have undergone the proper security processes.
These are just a few of the new changes but a fuller outline of all the requirements and who they apply to can be found at the Information Commissioners Office.
On your to-do list, you should also consider including the following actions:
- Explain to your customers their rights related to their personal data and inform them of their right to withdraw their consent to use or store their data
- Ensure there’s appropriate documentation that proves when customer data has been deleted
7. Always plan for the unexpected.
You should always plan for every foreseeable eventuality – as the old saying goes: it’s better to be safe than sorry.
Should you suffer a breach, the last thing you need at that time is to be worrying about researching and getting approval for a contingency plan. It is always best to be prepared for these things beforehand and hope that they are never needed.
Among the things to consider, you should work out:
- how you will implement Privacy Impact Assessments
- what your data protection requirements are from an international perspective as well as domestically
Remember, you will need to notify the EU GDPR Supervisory Authorities and all affected individuals if/when a breach occurs.