GDPR is one year away… here’s what you need to know
Does your company have a sizeable budget for paying out fines, compensation and the cost of litigation? If you don’t then you really need to consider the impact of the General Data Protection Regulation (GDPR).
Companies have to be compliant with the new requirements set out in the GDPR by May 25th 2018 or else they risk attracting the attention of the data protection authorities as a result a breaches or complaints or via desktop and themed audits or even dawn raids.
That’s not to mention the reputational damage that a company who is proven to be negligent with their customers’ data would suffer.
GDPR focuses on the legality of personal data processing, consent, transparency, individual rights and security. Central to compliance is the principle of accountability which means that organisations must now demonstrate how they comply.
The EU stated when drafting the regulations that the aim was to put the individual firmly back in charge of their personal information and what happens to it. According to Computer Weekly, “it will fundamentally affect any organisation that stores, processes or handles the personal data of EU citizens – irrespective of that organisation’s size or where in the world it’s based.”
Ireland’s Data Protection Commissioner, Helen Dixon, recently said that: "The GDPR is a game-changing piece of regulation and cannot be ignored. To do nothing ahead of May 2018 is not an option, because there will be consequences to pay and the consequences will be very significant for any organisation, whether they are public or private."
So, we here at Integrity360 have decided to help you with the four main things you need to know to start getting your ducks in a row.
1. Do you know your data?
If your organisation has not yet taken any steps to comply then this is where you need to start. Until you know and understand what personal data you process either as a data controller or as a data processor on behalf of a data controller you cannot effectively assess your level of compliance.
Organisations need to gain an understanding of the electronic and physical data they process on systems, servers, cloud, mobile devices and archives to name a few, the categories of data processed and of the individuals that are the subject of these processes.
2. Have you appointed your DPO?
One of the main obligations under the GDPR makes it compulsory for some companies to appoint a Data Protection Officer. Companies are required to “implement appropriate technical and organisational measures” in relation to the nature, scope, context and purposes of their handling and processing of personal data.
While all organisations that handle personal data will be affected by GDPR, those whose core activities consist of data processing operations which monitor data on a large scale or process sensitive personal data have to appoint a dedicated Data Protection Officer. The DPO requirement also applies to all public bodies.
The new Data Protection Officer can’t hold an additional role that could conflict with the role of a data protection officer e.g. they can’t be someone who collects data or uses that data for sales or marketing purposes. The GDPR does, however, allow for an external Data Protection Officer to be appointed “under an appropriate service contract”.
3. Have you embedded privacy into your procedures?
Under the new regulation, individuals have to be fully informed about what exactly will happen to the data they hand over. Your organisation must demonstrate transparency by informing individuals about
- The purpose of acquiring the data and how it will be used
- Whether the data will be transferred to third parties or outside the EEA
- How long the data will be stored
- The right of the individual to access, update or erase the data
Consent, under the new regulations means “any freely-given, specific indication… by which the data subject, either by statement or a clear affirmative action, signifies agreement to personal data relating to them being processed. Consent is not required for all types of data processing however where consent is relied on then organisations have to be able to show how and when consent was obtained.
The ways an individual can give their consent are clearly set out in the regulation however it is of utmost importance that consent is obtained through an “affirmative” action only. This means that “silence, inactivity or pre-ticked boxes” are not valid forms of consent. And consent must be actively given by the individual concerned.
Under the “right to be forgotten” rule, if the data is no longer needed by an organisation for the purposes for which it was collected then that data must be securely deleted or destroyed.
Organisations must also be able to provide individuals with access to the data they hold on them within one month, respond to requests to rectify inaccurate data and manage objections by individuals to profiling and automated processing.
4. Is your security in order?
Companies handling personal data must “implement appropriate technical and organisational measures”. In relation to security that are proportionate to the nature and sensitivity of the data that is processed.
Personal data is any information that “relates to an identified or identifiable natural person”. This means that any piece of information that could allow an individual to be identified is subject to the new regulation.
This includes online identifiers such as IP addresses as well as indirect information like physical identities (which might be used by retailers), banking information (processed by e-commerce retailers), genetic or health-related data (held by insurance or healthcare organisations).
Once it is determined that you are holding personal data – then your organisation must implement the appropriate safeguards to protect that data.
This can include:
- Encrypting or anonymising all personal data.
- Regularly testing all systems that process and store personal data
- Having the ability to restore access to that data in a timely manner following any physical or technical incidents
GDPR also permits organisations to prove they comply with requirements by adhering to approved codes of conduct or certifcation mechanisms.
Want help with your GDPR preparation?
The requirements for complying with GDPR can at first appear daunting and organisations may find it difficult to figure out where they need to start and what they need to prioritise. Integrity360 can support your business by completing detailed GDPR readiness assessments to identify gaps against requirements and by outlining in detail the steps required to achieve compliance. Integrity360 can also support the completion of data inventories, data classification, privacy impact assessments and documentation reviews. Our cybersecurity and data privacy specialists can establish, upgrade and support your data privacy framework with tools such as: For more information about how we can help you to approach and manage your GDPR requirements please email firstname.lastname@example.org or visit integrity360.com for more information.