Recent research conducted by Veritas has confirmed that 54% of organisations have yet to prepare themselves for the commencement of the EU’s new General Data Protection Regulation policy, which will come into effect in May 2018. Perhaps this is due to a misunderstanding regarding the UK’s status within the EU following the Brexit vote. However, the government has communicated that the introduction of GDPR will still come into effect as planned, and that the UK will continue to mirror the terms of the regulations even once we officially exit the EU.

The Minister of State for Digital and Culture, Matt Hancock explains “we are keen to secure the unhindered flow of data between the UK and the EU post-Brexit, and we think that signing up to the GDPR data protection rules is an important part of helping to deliver that.”

So, why then are companies falling short of their responsibilities to prepare for the General Data Protection Regulation coming into force, even though the potential for a major compliance failing is significant? It seems that a lack of understanding over who bears responsibility for the regulation may be to blame.

 

Assessing Accountability for the General Data Protection Regulation

 

According to the Veritas survey, around 32% of respondents believe that the Chief Information Officer is responsible for preparing for GDPR. A further 21% are under the impression that this is a task for the Chief Information Security Officer, 14% believe the onus lies with Chief Executive Officer and 10% are backing the Chief Data Officer.

So, who is correct? According to a report delivered by the Centre for Information Policy Leadership (CIPL), they all are.

“…..Data is critical to many business processes, products, and services. This is why GDPR implementation must be a concerted effort across the organisation, with the DPO working hand-in-hand with Chief Data Officer (CDO), Chief Information Officer (CIO), Chief Information Security Officer (CISO) and other senior leadership.”

 

Small Businesses Are Not Exempt

 

A common misconception amongst small business owners, is that since they do not have any of these designated roles within their organisation, then they must be exempt from preparing for the General Data Protection Regulation legislation coming into effect. This is far from being the case. GDPR affects all businesses, regardless of their size. Even smaller businesses who do not process client or customer data, will almost certainly have employee data on file. Therefore, it is vital that they bring themselves up to speed with the changes in policy, so that they can avoid the possibility of being on the end of an Information Commissioner’s Office (ICO) investigation. If your business is subject to a data breach, then you could find yourself facing hefty fines of up to EUR 20 million or 4% of worldwide revenue, whichever is the larger.

However, the good news for small businesses is that although they have to dedicate personnel and resources which they wouldn’t normally possess to dealing with the integration of General Data Protection Regulation, in fact, the changeover to the new policy should be pretty straightforward. This is because when dealing with smaller data sets, there are less consents to both obtain and update in order to remain compliant. Similarly, it will take less training and development of new data protection policies to meet the requirements.

 

Guidance for GDPR Preparation

 

Larger companies have a task of greater magnitude on their hands, which is why it is essential that they start preparing sooner rather than later. Here is some guidance which can help organisations get to grips with the changes.

  • Awareness and Training – Ensure that all decision makers, stakeholders and senior leadership are aware of the changes that GDPR will bring, and understand the impact that this may have across the business.
  • Data Documentation – Conduct an information audit and ensure that all personal data you hold is correctly documented, both in where it came from and how/where it is shared.
  • Rights of Individuals – Your data protection procedures must include a demonstration of the rights of individuals, including how personal data is stored, shared, deleted, and documented.
  • Privacy Notifications – These must be reviewed and adapted for the commencement of GDPR in May 2018.
  • Identifying a Legal Basis – There must always be a valid legal basis for the data processing which is being carried out. This should be identified and documented.
  • Data Breaches – Your company must have the right procedures in place to detect, notify and investigate any data breach that occurs.
  • Data Protection by Design and Data Protection Impact Assessments The ICO has produced specific guidance on Privacy Impact Assessments; it is vital that your teams are familiar with this documentation and understand how to put it into practice.
  • Consent – Understand and Reassess how your company seeks, obtains and records consent to process data.
  • Subject Access Requests – These procedures must be updated and processes should be developed which outline how your business handles requests for data within the new timescales in the GDPR legislation.
  • Children – Additional systems must be introduced, which verify the age of each individual and gather official parental or guardian consent for the data processing activity which is required.
  • Data Protection Officers – An official DPO position must be assigned to someone, either dedicated, or as part of an existing role. This person will take responsibility for data protection compliance and will analyse how this role falls within the organisation’s existing structure.
  • International Considerations – If your organisation is global, then it must be established as to which data supervisory authority you fall under.

 

As part of the changes to General Data Protection Regulation, you will need to develop an ongoing security strategy to safeguard your data systems. We are experts in providing the most current security solutions which will keep you protected and manage any future threats or vulnerabilities that arise. Want to know more? Get in touch today.