GDPR…or General Data Protection Regulation if you prefer, is coming. Are you ready? Well, if you’re a business owner or a key decision maker at an IT Services firm and you even know what it is then you’ve got a head start on around ten per cent of your contemporaries in the UK. That’s one of the key findings from a piece of research carried out by Litmos Heroes earlier this year.
The study also found that despite the GDPR deadline – and a potential fine – looming on May 25, 14 per cent of IT firms don’t know what they have to do to meet the new regulations. Worryingly, four per cent admitted that they don’t even meet current UK data protection laws at the moment – and 20 per cent confessed to having inadequate safeguards in place currently to protect customer data.
But back to those ten per cent who aren’t yet familiar with the potentially business-changing EU regulations coming into force in May, 2018. If you fall into that category then let me enlighten you. The GDPR was adopted into law by the EU Parliament in April, 2016 and, from May 25, 2018, it will apply to all companies processing and holding the personal data of people who live in the EU, regardless of where the business is located.
It was designed to make sure that data privacy was standardised across Europe, to protect citizens’ data privacy and to reshape the way that businesses right across the region think about and implement data privacy.
The GDPR will completely overhaul how businesses process and handle data. It’s the biggest change to data protection rules in decades and it’s come about because the old system was deemed no longer fit for purpose given the vast amounts of data and personal information many firms now have access to following digital advancements over the past 20 years.
The penalties for failing to comply are potentially enormous and could have serious consequences for many businesses. Organisations that fail to meet the regulation can be fined up to four per cent of their annual global turnover, up to a maximum of 20 million Euros.
And don’t think that Brexit will save you either because not only has the UK government decided to enshrine the new legislation in to the UK statute book, but a large number of UK businesses already do, and will continue to, handle the data of EU citizens – Brexit or no Brexit – and, therefore, will have to comply.
So that’s the lesson out of the way. You’re probably asking now, ‘what do we have to do about it?’
Well, before we get into that, let’s take a deep breath and try not to panic. There is plenty of scaremongering going on when it comes to GDPR and as the countdown to May 2018 continues, it’s a topic that’s likely to earn even more column inches.
12 important steps
But bear this in mind. A little while back, Elizabeth Denham, the UK's information commissioner who is in charge of data protection enforcement, described GDPR as “an evolution, not a revolution". Feeling any better?
You should, because for businesses and organisations already complying with existing UK data protection laws – and Litmos Heroes research found that six per cent admit that they currently don’t – that should be the case. For those diligent businesses, getting GDPR-ready should be little more than a matter of reviewing existing processes and making a couple of enhancements.
Here’s my handy guide, detailing 12 steps you can take NOW towards becoming GDPR-compliant.
1. Spread the word
Raise awareness about the impending changes within your company. Make especially sure decision makers and any key people know, so they can prepare for the changes.
2. Document the personal data you already have
Figure out where the information you have came from, and who you share it with. Could be time for an audit.
3. Communicating privacy to third parties
Review your current privacy notices, and put a plan in place for any changes you need to make to adhere to the new rules.
4. Individuals’ rights
Check that your company’s procedures cover all the rights people have, like how you would delete people’s personal data.
5. Subject access requests
Check if you need to update how you process subject access requests, and who will do these, within the new one-month timescale. You mostly won’t be able to charge for this anymore. In very certain circumstances, you can refuse a request. You have to explain why and let the person know they can complain to the Supervisory Authority.
6. Lawful basis for processing personal data
Check the lawful basis for your processing activities under the GDPR, document it in each case, and update your privacy notice to explain it.
Double-check how you record and manage consent. Consent must be informed, given freely and explicit; you cannot just assume it from inactivity or silence.
Assess whether you need to start verifying people’s ages, or obtaining parental/ guardian consent any data processing activity. The GDPR brings special protection for minors’ personal data, especially in the case of social media. If you now need their consent to collect data on them, in the near future you may need a parent or guardian’s consent.
9. Data protection by design & Data Protection Impact Assessments
Try to ensure your team is considering privacy at early stages in product design, and that you are conducting risk assessments for high risk activities.
10. Data protection officers
You should designate someone super reliable within your company to check that everything you do with data complies with the GDPR. Figure out where they’ll sit within your company’s structure and governance arrangements, and also ensure that they are appropriately qualifed. Also, assess whether you need to officially designate a DPO.
11. Data breaches
These are about to be taken much more seriously. As a data controller, you’ll have 72 hours to report one to your Supervisory Authority. Check you have the right procedures in place to detect and report them, and that you know who to report them to.
If your company operates internationally and you are cross-border processing, find out who your lead Supervisory Authority is. Article 29 Working Party Guidelines will help you out.
Now that doesn’t sound too tricky does it? It could still mean a lot of work, however, and plenty of UK businesses have recognised this. In fact, almost a quarter have employed someone just to make sure they comply before the May deadline. That is contrasted however, by the 11 per cent who confessed to having no idea which member of the team would be responsible for getting the business ready.
Our research, which was carried out to mark the launch our new GDPR course for global businesses and SMEs, found that one in three said they have done nothing at all towards becoming GDPR-ready – and ten per cent said they don’t plan to.
And it found that nine out of ten admitted that if the regulation was introduced tomorrow, they wouldn’t be ready.
It’s a worrying picture but, as Elizabeth Denham added in one of her recent blog posts, “This law is……about putting the consumer and citizen first. We can’t lose sight of that. Focusing on big fines makes for great headlines, but thinking that GDPR is about crippling financial punishment misses the point.
“It’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm.”
If you get your house in order, follow our simple steps and…more importantly, start the process as early as possible, it might just be that GDPR isn’t quite as scary as you thought it might be.
Tom Moore, Managing Director, Litmos Heroes
Image source: Shutterstock/Wright Studio