The new General Data Protection Regulation (GDPR) is now less than six months away, yet a new Trends Report released by British software and services company Advanced shows a worrying 25% of organisations are unprepared for or, even more concerning, unaware of the changes it will bring.
It begs the question: what’s holding organisations back from preparing for this impending legislation? What actions should they be taking now?
Adding fuel to the fire is the Data Protection Bill, which the Government claims will “bring our data protection regime into the 21st century”. The bill, part of the National Cyber Security Strategy, is intended to find a balance between protecting data, penalising those who break the rules and returning control of data to the people.
The net result? Organisations need to get serious about protecting the personal data they hold about and enforce data best practice.
To prevent organisations being on the wrong side of the law, and risking large fines, without realising it, here are the steps all businesses must take to get GDPR-ready…
Who will the GDPR affect?
From next Spring, companies will face a long list of rules they’ll have to follow to comply with the new GDPR. Failure to comply can result in fines of up to €20m or 4% of an organisation’s global annual turnover (whichever is higher), and untold reputational damage.
Understanding the key elements; auditing current data protection measures at your organisation; documenting all the information you have; and ensuring all your data collection and procedures are GDPR-compliant, is therefore vital. However, this is a lengthy process for any medium or large enterprise, while smaller businesses may be concerned about their ability to cope with such a complex task. Senior leaders must therefore ensure they are doing all they can to manage the changes ahead with the information already available.
The way in which the GDPR will affect businesses across different sectors and industries will of course vary depending on the types of data they own and how it is used. With the change in regulation being a vast alteration for a lot of UK organisations, there are many things to consider to ensure compliance by next May.
Check you have consent now
Potentially one of the biggest causes for concern when it comes to the GDPR is the issue of consent. When financial or personal data gets into the public domain by accident, it affects peoples’ lives and industries can collapse. Organisations can’t get that privacy back again and they can’t reverse the impact data breaches can cause. Under the new data protection regulation, businesses will need to ensure they have the consent of the individuals they wish to contact through different channels before the legislation takes effect (thereby preventing data protection breaches).
While this might not sound difficult, finding a way to engage with their customer base to opt-in in the first place can be challenging for organisations. Unfortunately, it’s not a simple ‘tick box’ exercise, making it harder for them to not only obtain consent from individuals, but also track and record consent.
Get your data in order
Organisations should carry out an impact assessment, including a data audit, to find out where the information resides, what data is personally identifiable and how accessible it is. Figuring out what data is necessary for commercial purposes and to delete anything that is not needed is a good idea. It is also helpful to build a picture of how information flows through the organisation. If a client provides their details over the phone, for example, does this data then sit on a piece of paper on a desk, get entered into one system, or into five different ones? Once the impact assessment is complete, the creation of a gap analysis will help to devise a plan to resolve these highlighted issues.
Sort out your security
The increased threat of cyber-attacks and the impending GDPR both place new responsibilities on business leaders to ensure every employee understands how to protect corporate and personal data. Organisations must continue to move from awareness to action, by ensuring cyber security is a board level priority. The repercussions of a data breach or loss would be even more damaging if a company failed to safeguard its data under the GDPR. Equifax, for example, could have been fined up to $124 million if the regulations had already come into effect when their data breach occurred. Firms will also need to ensure their security alert systems are equipped to spot and react to any break-ins quickly because, under the GDPR, data breaches will have to be reported within 72 hours.
To keep up with all these extra requirements, many businesses will also need to appoint a data protection officer. They will be responsible for educating a company on its GDPR requirements, training staff in data processing and conducting regular security audits across the organisation. The DPO will also serve as the main point of contact between the company and the authorities.
While this can seem a huge headache, there are also many compelling arguments in favour of the GDPR. Data protection is a massive responsibility and this legislation is driving deadlines to ensure organisations step up to the requirement of managing and safeguarding data from both a financial and personal perspective. It can, for example, be used to adopt best practice around the handling, control and security of an organisation’s information, update and enhance business processes, and improve the quality and integrity of data held. It also enables businesses to rethink why and how they capture and use personal data of their customers, staff and leads. It teaches best practice.
It’s critical businesses don’t get distracted by issues out of their control – like the uncertainties around Brexit – instead failing to focus on real and present threats, such as getting prepared for GDPR. Every single business should be taking action on the GDPR today, preventing potential financial and regulatory consequences down the line.
Jon Wrennall, CTO at Advanced
Image Credit: Bbernard / Shutterstock