GDPR and your Business – Implications and Guidance

Data security is a hot topic around the world and the latest, publicised breaches prove that it can happen to any enterprise, regardless of the industry or size. There have been many debates and uncertainty around the upcoming General Data Protection Regulation (GDPR) in recent weeks. The Irish Data Commissioner (IDC), has released guidance this week for businesses who hold data (which is most likely the majority of enterprises).

Here are the top six points summarised:

1. Regulation comes into force on May 25th 2018
2. It gives greater powers to authorities to enforce the regulation
3. Non-compliance carries fines of up to €20 million or 4% of annual global turnover, whichever is greater
4. All organisations who process data must be aware of this regulation and take necessary steps to comply
5. Much of the regulations are similar to the existing Data Protection Acts of 1988 and 2003. The GDPR is an improvement on this
6. GDPR makes it easier for private individuals to bring claims against data controllers when their data privacy has been infringed upon

The Need for Business Software to Process Information Requests

At this stage, it is important to start generating awareness within your enterprise. Data controllers in the organisation should be aware of GDPR and the implications. A full review of your privacy documentation should take place and if any gaps are noted, these must be addressed before the regulation comes into place.

If you do not have any procedures around data information requests or contingent plans in place, these should be prepared and communicated across the whole organisation. Organisations will not be allowed to charge for information requests (except in extreme circumstances) and the timeframes for delivery of these requests will be dropping considerably from the existing 40 day window.

The next step is to understand what data you are holding on file. The onus is on your organisation to demonstrate compliance so it is important to review the data held by your organisation.

[cta link=”http://www.trc-solutions.com/gdpr-and-your-business/” colour=”grey”]Download the GDPR Guide from TRC Solutions[/cta]

A Data Compliance Audit will be Useful to Understand:

• Whyis its being held?
• Ensuring you have permission
• That it is in fact, secure
• How long will it be held for?
• Proof of consent
• How is it shared and if so, do you have permission to do so?

In certain circumstances, compulsory audits will need to be enforced in order to comply. This would apply to those organisations involved in ‘high-risk processing….where there is large scale monitoring of a publicly accessible area’.

Many applications online request information without clarifying where this information will be stored or how. Under GDPR, organisations must ensure customers are clear that they have provided consent and can not be ‘inferred from silence, pre-ticked boxes or inactivity’. A clear audit trail may be requested as proof.

GDPR introduces new procedures to protect children’s data. This includes clearer communication that underage customers will understand and permission from guardians where applicable.

Data Breaches

Some data breaches (most notably Yahoo!), were not communicated to the IDC, offices in a timely manner. The new regulations will require breaches to be communicated to the IDC within 72 hours of the situation being discovered unless the data was encrypted. Failure to do so will result in fines for both the breach itself and the delayed reporting.

Moving Forward

The documentation is available from the Data Protection Commissioner online. Dereck Teefy, our Director of Operations is already helping our customers prepare for the new regulation. If your organisation is in need of assistance, please contact us.
[cta link=”http://www.trc-solutions.com/?page_id=232″ colour=”grey”]Arrange a call with one of our SAP Business One Consultants[/cta]