GDPR, or officially, the General Data Protection Regulation 2016/679 will come into force on the 25th of May 2018.
To rephrase – this means that you now have less than nineteen months to get ready for what is the biggest shakeup in Data Protection in the last decade. Therefore companies, their employees and their third parties will have less than nineteen months to prepare themselves for significant disruption to the way that they store, manage and process personal data.
So, as a company, how can you see the wood for the trees? What should you be focusing on and if you were to categorise them into a top 5 priority list of things you as a company should do, what would they be?
- Understand the scope of GDPR
In the simplest of terms, the primary difference between the former Data Protection regulation and the new GDPR regulation is age. Like many of our forefathers, the former was born during a previous generation, before the rise of the Internet, Facebook and Google, for example. The new Regulation has an expansive scope that is far reaching.
Firstly, for any business that processes EU citizens’ personal data or monitors their behaviour, or who may have staff operating in the EU, compliance with GDPR will be required. GDPR also has extra territorial reach and therefore, if you are an organisation outside of the EU that does not even have a physical presence in the EU, the GDPR may still apply.
- Identify the Imposition of further obligations
GDPR requires transparency when providing information to individuals concerning the processing of their personal data. It essential that organisations review their privacy notices and policies to ensure that all necessary information is provided to individuals.
Consent remains one of the grounds for further processing within the new Regulation however, there is now a higher threshold than before. Given the higher threshold organisations should must focus on obtaining clear and unbundled customer agreement if they wish to rely on this justification for processing. It is also noteworthy that evidence or proof of this consent is critical and as such record logging and retention must be of a superior standard.
- Raise awareness of the rights afforded to data subject
GDPR has introduced some significant new and enhanced rights for individuals with regard to their personal data. Data Subjects have the right to access, port, restrict and object to the processing of their personal data. Data Subjects can also demand the porting of their personal data to them or directly to a new provider in an inter-operable, machine readable format. This applies where the data has been provided by the Data Subject to the Controller, processed automatically or processed based on consent or fulfilment of a contract. For any organisation, the right to port personal data is one that will require planning and preparation so that your employees can have all the necessary resources available to them to deal with such requests.
- Educate, Educate, Educate or be reprimanded
Under the current Data Protection Directive, there is a large variation across Member States in financial penalties. In contrast under the new GDPR legislation enforcement powers will be significantly increased under the GDPR, including the fines that may be levied which peak at €20M or 4% total worldwide revenue.
Given the substantial fines that can be imposed, organisations should invest time and resources into accomplishing compliance with the GDPR. This includes educating all the various stakeholders, from Executives to Third Party processors that influence your ability to achieve and sustain GDPR compliance.
- Address GDPR head on and move with urgency
To quote Leonardo da Vinci: “I have been impressed with the urgency of doing. Knowing is not enough. We must apply”. This is the type of thought leadership that organisations must have if they are to address GDPR.
A culture of compliance is critical for the success of your organisation when it comes to addressing the GDPR, staff training and clear policies must be in place. This will also address the need for the GDPRs accountability provisions. Privacy Incident management processes need to be clear and concise and related internal policies should be revisited to ensure that data breaches are dealt with immediately and through the correct process.
Are you interested in planning your approach to GDPR compliance as early as you can and gaining buy-in from key stakeholders in your organisation?
If you need help with your GDPR project, we’ve collaborated with subject matter experts to produce GDPR for Dummies in association with Wiley, the official Dummies brand. You can claim your free copy here.
MetaCompliance has designed and created eLearning courses that can help your organisation raise awareness among employees while engaging top line management to ensure their buy-in. Contact MetaCompliance and learn how its Cyber Security & eLearning Library and Awareness Services can help you build GDPR compliance in your organisation from an Information Privacy and Information Security point of view.