The GDPR is the most detailed regulation on data privacy since the introduction of the 1995 EU Data Protection directive. This new, pan-European regulation will replace the 1995 directive and is set to empower individuals and protect their rights. This regulation is not designed to bring companies and countries to their knees, but it has been authored in such a way that anyone who puts their head above the parapet can be censured very quickly and very severely.
Individuals will have the opportunity to question how companies store their data and seek compensation where their rights were breached. Furthermore, it is no longer enough to state that an enterprise is compliant – evidence will have to be displayed, which pushes companies towards a ‘privacy-by-design’ approach to data protection, forcing the design of systems and processes to include data protection from the outset.
Getting ready for GDPR may not be straightforward and it is likely that data heavy enterprises who have yet to start the journey towards GDPR will find themselves on the wrong side of the regulation deadline come May 2018 when fines come into force.
The regulation is already in place, so don’t expect a lengthy grace period. Fines can reach €20 million or 4% of global turnover for lesser transgressions and can go to €10 million or 2% of turnover for lesser errors.
If you are at the beginning of the cycle or just considering the first steps, we recommend that you consider the following:
- Education: Initially, educating your staff is a vital part of the process that will keep your data safe. More often than not, data breaches are the result of human error, so it’s vital that staff understand the regulation and what is expected of them. Understand that anyone within your organisation who maintains databases or processes information about people is a Data Controller and as such, liable under GDPR and must be compliant. This is not an isolated IT issue or the responsibility of the CEO, this is very much a company wide challenge that will need to be tackled by the entire organisation as a team. Suddenly, that mailing list in marketing or spreadsheet becomes a ticking time bomb.
- Systems: Clearly understand what steps are needed to be taken in order to ensure compliance. Is marketing using spreadsheets on multiple users’ machines or a secure CRM system? How do the recruitment / HR team store and manage CVs from existing and potential staff? Once there is a clear understanding, a plan can be formulated to bring everything in line. Create a system that all staff will follow. This can be anything from process documents to an intensive day of training. Our clients are SAP B1 users and are lucky in the sense that the definition all the data stored in the solution is secure, accessible by staff and traceable.
- Data Protection Officer: This role is not needed in every organisation but in situations where the role is compulsory, it’s important for them to get a full understanding of the business and how data is collected, stored and accessed.
- Access: It is vital to know what information is held and where. Before you can gauge the magnitude of the challenge in front of you and the level of readiness needed, a gap analysis exercise will help you understand:
- What data does your organisation hold?
- Why is it being held?
- How long will it be kept for?
- Is it secure?
- Proof of consent
- Who has access?
We have seen many organisations struggle on the first hurdle and this often occurs due to legacy systems, siloed information across teams and departments. If you have a plan and you’re on the road to compliance, then you’re on the right track. If you have yet to launch your plan or perhaps your organisation is paralysed by the sheer enormity of the task, we have a range of solutions and a team of specialists that can help.