What is GDPR?
The General Data Protection Regulation (or GDPR) is a large change to data protection regulations and will supersede the current Data Protection Act (DPA) from 1998. Overall, the GDPR increases privacy rights for individuals and imposes stricter laws to ensure that organisations securely manage any personal data that they hold.
The new act will come into effect on 25 May 2018 and while it may still be one year away it will require time-consuming changes, so avoid delay and start your preparations. While organisations will hear ‘data’ and immediately go to their IT teams, this legislation impacts various teams such as Marketing and Accounts and is an organisation-wide commitment; adding further pressure to avoid delaying.
What is personal data?
Personal data means data that can identify an individual, which can include anything from email addresses to religious beliefs. While the definition can be fairly vague the ICO have produced a quick reference guide (8 pages) or a much more detailed guide (30 pages).
Download our Readiness Checklist
You can download our GDPR overview and checklist to help on your compliancy journey here.
How it helps individuals:
- Individuals have the right to access their data and can request a copy of their personal data
- Individuals have the right to be forgotten and their personal data deleted
- Individuals must give consent for an organisation to process their personal data
- Individuals have peace of mind that organisations are protecting their data, reducing fears of breaches and data sharing
What this means for organisations:
- You must obtain clear consent to process personal information
- You must clearly state how you will use this data and if it will be shared
- You cannot allow a ‘soft’ opt-in such as automatically ticking an opt-in box
- You must keep records of individual opt-in evidence and may be required to show this data
- It must be easy for individuals to withdraw their consent
- You should govern how your data is used and accessed
- You should keep records regarding data processing, such as consent dates and what the data is used for
- You should be able to easily export and/or delete personal data if requested
- Your organisation must protect personal data to prevent data attacks and breaches
- You must ensure a high level of data security is in place
- You must have measurements in place to detect and respond to any breaches
- If you suffer a breach then you must notify the authorities within 72 hours; this does not just mean hacking, but also human error, such as an employee sending information to the wrong person
- Personnel and employees need to be trained and aware of how to protect personal data
- Certain organisations will need to assign a Data Protection Officer (DPO)
- You must define data retention and deletion policies
- You must define roles and responsibilities so only those that need to access personal data can
- You should audit and update policies regularly
- You should review roles and responsibilities regularly to ensure only those that need access to personal data have
What steps should you take?
While the changes required may be time-consuming, they should be seen not as a box ticking exercise but as an opportunity to improve and build upon your current data management and protection practices. With high profile data breaches causing damages to profits and reputation, data security is more important than ever for any organisation. Having a robust IT security setup is only going to get more important in the future, so effective compliance with GDPR with put you onto the path to a secure, future-proof setup and save you time and hassle in the long run.
We’ve outlined some key steps to take to help you on the path to compliance but if in doubt, speak to your IT team, support partner or you can contact us.
- Start by getting to grips with the new regulations by researching online and reading the law here to fully understand it. (While it is an impressive 88 pages of legal texts it is important to be aware of the detail within in)
- Ensure organisation awareness by speaking to key team members and ensuring key personnel are educated and aware of the implications and impact
- As a company-wide initiative, ensure that each team or department research into how it impacts them; particularly IT, Marketing and Accounts
- Carry out an information audit to discover what data you have and where it resides (note: if you have ISO27001 then this should already be done)
- Start by evaluating employee data and ensure that this is protected before carrying onto customer or member data
- Evaluate what opt-in consent methods you are using and how you are collecting data. If these are not compliant and unclear then Marketing will need to update how they collect marketing data
- Check to see how your personal data is managed, stored and processed and if this includes recording opt-ins and data processing audits (note: this should be done by most standard CRM systems. We recommend Microsoft Dynamics 365 and ClickDimensions for marketing automation, which captures this information)
- Evaluate your website data capturing and marketing activities to ensure that you have clear opt-in policies and clearly outline how any captured data will be used; these may need to be revised to remove pre-ticked boxes etc.
- Ensure marketing communications have clear opt-outs if individuals wish to remove opt-in consent
- Ensure that personal data for individuals can be easily exported and deleted if requested
- Lock down roles and access controls to ensure that only the relevant staff can access and process personal data
- Review and improve your data security setup to ensure that your organisation is protected against breaches (this includes physical datacentre protection, network, storage and compute security, ID management, access control, encryption, risk mitigation)
- Consider becoming Cyber Essentials or ISO27001 certified; while this is not everything required it will ensure a base level of security and show your organisations commitment to security
- Evaluate and implement solutions for detecting and responding to breaches (i.e. system monitoring software, detection software, such as Advanced Threat Analytics)
- Plan and document how you would respond to a data breach; as you have 72 hours to notify authorities preparing for this will ensure you can react quickly and follow an outlined procedure to minimise impact
- Assign a Data Protection Officer (DPO) if required (note: this can be a dual-hatted role or third party)
- Organise security training for personnel that will be handling personal data and educate in best practices for data sharing
- Set up regular reviews of training and create an audit trail to show who has been trained and when to help protect against user error breaches
- Set up regular review of your data retention and deletion policies, such as every 6 months
The above steps are a guide to help you on your journey to GDPR compliance. The ICO have also produced this useful 12 step guide to help prepare for GDPR, which include some high-level initial steps to take.
What about Brexit?
GDPR will come into effect before the UK leaves the EU so UK organisations will need to be compliant.
Does this just apply to European countries?
No, it does not matter where the organisation is based but instead whether they process the data of individuals based in the EU.
What if I do not comply?
The hefty fines for failing to obey the GDPR are €20 million or 4% global annual turnover; whichever is greater.
How long will it take to become compliant?
This depends on your current setup and the personal data that you hold (for example, data held on children have much stricter rules) so will be unique to every organisation.
GDPR represents a large change in data protection and increasing individual’s privacy rights. While becoming compliant will be a time-consuming and organisation-wide initiative, data management and security is only going to increase in importance and become a top priority for organisations. Taking the correct steps now to evaluate and improve upon current processes and infrastructure has a two-fold benefit now; ensuring GDPR compliancy and ensuring that your organisation puts security as a top priority, which is integral to success.
If you require guidance or support around your infrastructure and security measurements then we hope you have found this article useful. If you require more information or would like to organise a meeting to discuss how we can help with your GDPR compliance then please contact us.
Download our GDPR Guide and Checklist
If you want to take away the GDPR information then please download our two-page fact sheet.
- An overview of GDPR
- What it means for organisations
- What is means for individuals
- Readiness checklist and steps to take to achieve GDPR compliancy