What is the General Data Protection Regulation?
After four years of debate and discussion, the EU has published a new regulation for data protection. The goal of this new regulation is to ‘contribute to the accomplishment of an era of freedom, security, justice and economic union’. This regulation will affect thousands of enterprises, not just those operating in the EU. Whether working directly in a data-driven organisation or not, the new regulation will apply to all companies and the penalties associated with non-compliance could cripple an enterprise and in some cases, sound the death knell.
The fines resulting in non-compliance are quite substantial with new penalties of up to €20 million, or 2-4% of annual worldwide turnover (depending on which is greater).
GDPR was passed on 25 May 2015 but penalties will not apply until 25 May 2018, giving organisations time to prepare their systems and processes. This new regulation will not just affect IT managers but will permeate every facet of the organisation, from operations, sales and human resources, to marketing. Now, more than ever, this is a board level issue, so it’s time to start taking this seriously.
It will no longer be sufficient to say your organisation is compliant. Your organisation must now be able to demonstrate it and display the steps taken to mitigate the risks of data infringement
Download the GDPR Guide from TRC Solutions
All Job Functions will be Affected
Any organisation will be affected in some way and now liable. This new regulation will not just affect IT managers but will permeate every facet of the organisation, from operations, sales and human resources, to marketing. Now, more than ever, this is a board-level issue, so it’s time to start taking this seriously.
Data Protection Officers are now as vital as your top salesperson. The role of the Data Protection Officer will now need to be formalised under this new regulation. Under GDPR, organisations must appoint a responsible individual – internally or externally, that will take responsibility for your data protection compliance and has the knowledge and controls in place to ensure full compliance. The Data Protection Officer (or whatever title you assign), will be held accountable under the regulation and are responsible for monitoring processes, reviewing data and mitigating risks.
What if I am Not Compliant?
GDPR was passed on 25 May 2015 but penalties will not apply until 25 May 2018, giving organisations time to prepare their systems and processes. While it took four years to bring about, organisations have very little time to implement the obligations that are compulsory, or risk facing serious consequences. The fines resulting in non-compliance are quite substantial with new penalties of up to €20 million, or 2-4% of annual worldwide turnover (depending on which is greater).
Organisations must act now if they wish to avoid the heavy penalties of non-compliance.
Preparation will include a full audit of how data is collected, what data is currently held (and how old it is), how the data is stored and most importantly, how it is protected. Many organisations have managed to coast under the radar due to a lack of policing and enforcement. Under this new regulation, it will be actively policed and gives individuals the power to make requests and lodge complaints easily.
Where do I Start?
Before embarking on the road to GDPR compliance, it’s worth noting that this is a challenging task and most it will most likely take longer than initially anticipated. Many organisations that have commenced the journey towards compliance have experienced snags and difficulties that they had not anticipated. The resounding feedback is clear: there will be pockets and residues of personal data that will only be discovered through deep analysis and understanding of processes.
TRC Solutions recognise the difficulties that many organisations face and even those with ISO 27000 will have some work to do in order to be fully compliant. With that in mind, we have created a series of steps that can be taken as a whole or individually to ensure complete compliance.
- Readiness Assessment: This full day workshop will introduce GDPR to your organisation with a follow-up report document, charting the proposed action plan for the organisation. Identify what GDPR is in the context of your teams and processes and outline the path to compliance. Getting all staff members on board will greatly impact the speed of compliance. Our team of experts will detail how to handle a data breach, how this needs to be handled and raise security awareness in the team. This is very an education session that will benefit all staff members
- Data Inventory: Getting data into an organisation is often the easy part. Extracting and tagging data, is where many organisations face difficulties. This session will form the important first steps towards compliance, but most of all, it can be relied upon as a central reference point when dealing with protecting personal data. This inventory will include aspects such as the type of information held (name, address, date of birth), the volume of information, retention period, staff who can access, source and security controls on the data. At the end of this process, we will deliver a report detailing the master inventory data, information flows and locations of information held
- Gap Analysis: Our approach at this stage of the process is three-fold involving information gathering, analysis of the level of compliance and recommendations for remediation or improvement. The final report will outline the scope of the analysis and corrective actions listing the primary steps in order to remediate gaps and achieve compliance
- Data Protection Programme: This section really focuses on the solutions to the issues highlighted at the Gap Analysis stage This may involve a security design review so that further data is collected under systems that provide privacy by design or privacy by default. We can prepare codes of conduct or accreditation for all staff which enhance the competence and confidence, thereby easing Data Protection concerns. These are just some sample areas which may be considered but there are many more which can not be determined until the Gap Analysis is complete