Have you started your preparations for the GDPR (General Data Protection Regulation)? Even the mightiest of ignorance couldn’t stand against the torrent of blog, whitepapers, articles and other items available, from the apocalyptic penalties, to the deafening tick of the countdown clock, there is no rest. For most organisation, the journey to compliance has yet to begin and for one simple reason…where to start?To help begin the road ahead, we have developed five key items to focus on early in your quest.
Five Key Steps
- Raise Awareness - The GDPR is likely to mean some moderate to significant changes in the way that your organisation currently collects and processes data. Although a successor to The Data Protection Act 1998 and encompassing many of its existing provisions, the GDPR packs more of a punch and therefore will need to be adhered to more carefully. There are two distinct audiences whom need addressing about the incoming changes. Firstly, the decision makers of the organisation will need to understand the reasons for complying and what the journey to compliance involves. Secondly, staff will need to be briefed about changes to the ways in which they work, particularly if they handle personal data. Staff members who handle personal data are consider data processing systems and will on occasion be fine line between breach and compliant.
- Understand Data Subjects Rights - Much like under The Data Protection Act 1998, data subjects have a right to request access to personal data related to them of which you are storing or processing. The time frame to comply has been reduced from 40 to 30 days and administration fees have been removed. In addition, data subjects can now request that personal data is rectified if incorrect, have data erased, prevent and prevent profiling based on behaviour. You will need to consider how you can meet each of these rights in the timeframe stipulated. Not providing these rights to data subjects can incur the highest levels of administrative penalties.
- Appoint a Point of Contact - The GDPR requires that all data controllers provide contact details of a member of their organisation who can be contacted by data subjects to exercise their data subject rights. Nominate a data control contact point for your organisation and publish their contact details on all points of data collection and to the supervisory authority. For organisations who are public authorities, such as local councils or police forces, or those which process significant quantities of personal data, a Data Protection Officer (DPO) will need to be appointed. A DPO acts as a responsible party and advisor in all cases of data processing. The GDPR specifies that this person need not be an employee of the organisation and need not be available on a full-time basis but should be involved in all cases where data processing is modified, assessed or implemented. If required, hire or nominate a DPO.
- Read the Regulation - There is a huge quantity of information regarding the GDPR, ranging from full guides to short fact sheets. Social media alone is awash with commentary and the offer of services and solutions which will aid in compliance. With so much information available, the best advice is to read the regulation itself first. Available online in PDF format, it is better to get to grips with the articles of the regulation before the subsequent commentary of it is speculative or biased toward a security vendor.
- Build a Team - Many mistakenly think of the GDPR as a task for IT or information security teams. This is not completely incorrect but considering the reach of the regulation and the considerable penalties for being in breach of it, this is more of an organisation-wide activity. There is likely to be changes made in departments outside IT, such as HR and Marketing to name but a few. The best approach to these changes is to build a GDPR planning and transition team made up of members of those affected departments. Understanding how they currently work and the impact the regulation will have is something an outsider is very rarely able to determine on their own. In additon to this, by keeping the planning and implementation shared, the continued maintanence will likely be better adopted.
The Journey Begins
The journey to GDPR compliance is long, arduous & likely to contain unanticipated twists & turns. However, it is a path which all organisations must walk, some more reluctantly than others. As of May 2018 the ICO will show it means business, gaining renewed focus after two decades of enforcing an ever increasingly obsolete data protection law. Act now to avoid the cross hairs; time available now offers you more breathing space than when the GDPR comes into effect.