“48% of organisations won’t meet the deadline for GDPR compliance.” – DMA, GDPR survey, May 2017
The GDPR (General Data Protection Regulation) comes into force across the EU on 25 May 2018. It heralds a huge shakeup in the way businesses are required to collect, process and secure customers’ personal data and is designed to improve the rights of consumers with regard to personal data and how it is used, stored and protected.
May 25 2018 is a hard deadline – there is no transition period or grandfather policy. Your business needs to be wholly compliant with the new rules surrounding personal data by the May deadline or risk hefty fines.
The earlier you start the process the easier it will be for your business and there is plenty of information out there to help you along the way. The Information Commissioner’s Office (ICO) has some great documentation and tools to help you get ready and details the penalties if you are found to be non-compliant.
The GDPR’s definition of personal data covers any information that could relate to an identifiable, living being, for example, names, email addresses, phone numbers etc.
The GDPR defines six key principles. Personal data should be:
- Processed lawfully, fairly and in a transparent manner in relation to individuals.
- Collected for specific, explicit and legitimate purposes and not processed beyond those.
- Adequate, relevant and limited to what’s necessary in relation to the purposes for which they are processed;
- Accurate and, where necessary, kept up to date.
- Kept in a form which permits identification of data subjects for no longer that is necessary for the purposes for which the personal data are processed.
- Processed in a manner that ensures appropriate security of the personal data.
To help you decide whether you are at risk and what your next steps should be, we’ve put together a checklist to get you started and ascertain your level of exposure:
1 – Carry out an information audit. You need to know what data you hold and how secure it is. How does your business collect and use information? Where is that data collected and stored? Who is able to access the data? What security measures are currently in place? Make sure you document all of this – you will need to be able to demonstrate that you know what the risks are and that you’ve taken the appropriate steps to mitigate them. Do you really need all the data you hold? Getting rid of high risk or sensitive data that you don’t need at this stage may make things a great deal simpler. If you do need it, you will need to provide clear, legal documentation as to why and what for.
2 – Raise awareness within your organisation. Make sure everyone, particularly those with a connection to personal data, understands what changes are coming, and the potential impact this could have on the business – and the potential penalties. Make sure senior management is engaged and establish cross-functional teams to ensure all the bases are covered.
3 – Review your privacy policies and statements. Look at what you currently tell customers about how you use their data. How far does this currently go towards compliance with the GDPR?
4 – Assess your policies and procedures. Do you have formal guidance in place on what to do if an individual wants to know what information you hold on them, or if you had a security breach? Knowing your current situation will establish a foundation for the documentation you require.
5 – Get in touch with your technology providers. Compliance with GDPR will likely require changes and amendments to your technologies and systems, with particular regard to best practice on how data is stored and secured. Contact your suppliers to find out what steps they are taking to become GDPR-compliant and how they will be passing this support on to customers.
6 – Do you need to appoint a data protection officer (DPO)? In certain circumstances, organisations will need to appoint a DPO, for example, public authorities, if you carry out large-scale systematic monitoring of individuals or carry out large-scale procession of special categories of data (such as biometric data).
7 – Look out for updated guidance. The ICO and Article 29 Working Party will continue to produce advice and guidance on how to interpret and implement GDPR’s many provisions, so keep your eye out for updates.
8 – Be careful! The scale and the complexity of GDPR means you will likely need some help along the way, but beware wolves in sheep’s clothing. There are already rogue organisations in play looking to take advantage, offering questionable certifications and training – tread carefully.
We can help. Rubicon has teamed with a leading IT security and data governance company to offer a GDPR Awareness and Education Workshop with advice on how to get ready for the May deadline and beyond.
Delivered by a GDPR practitioner, the workshop provides a one time, all-inclusive session for key stakeholders to quickly get to grips with GDPR, identify the specific risks to your business and put a plan of action in place.
To find out more about the Workshop and GDPR readiness, call us on 0800 007 3040.