From 25th May 2018, the new EU GDPR legislation will affect all organisations that process the data of individual EU residents. Although the UK is poised to be leaving the EU in the aftermath of the Brexit vote, the government and the ICO have confirmed that the General Data Protection Regulation will still apply to us. Once we do exit, our strategy will continue to mirror that of GDPR in order to allow the free flow of data between both regions and to safeguard our own residents. The new rules strengthen the rights of EU citizens with regards to the personal data that is collected about them. But how does this affect organisations in terms of GDPR compliance?
In short, many companies have a task on their hands to bring themselves up to speed with the new GDPR legislation. There is much to incorporate into internal structures and policies in order to achieve compliancy with the law. Those that fall short are liable to face fines of up to EUR 20 million or 4% of global annual turnover, whichever is the greater. So, what is involved to make sure that your company is ready for the introduction of GDPR next year?
First Steps Towards GDPR Compliance
Perhaps the best approach to accomplishing the correct level of GDPR Compliance is to start by conducting an intensive review of your existing data protection policies. Compare them against the new regulations and identify the areas that you’ll need to change. There will be several. Some of the areas that you’ll likely need to focus on are as follows:
Redefining Your Data Consent Processes
One of the biggest changes to our current data protection laws is with regards to consent. Until GDPR, a pre-ticked box that a person chose not to untick has been able to define consent. This will no longer be the case. From now on, consent to process data must be active and unambiguous. It must be made abundantly clear that they are providing permission for your organisation to handle their personal data. In the case of sensitive data, which may include details for instance of race, religious beliefs, political opinions, sexual orientation, genetic data or trade union membership, consent must be explicit.
Your organisation must examine its current consent processes and redefine the way in which this permission is requested. Where the data you collect is used for multiple purposes, you must ask and receive consent for each type of processing that you intend to carry out.
The Risk of Third Party Providers
Companies who are preparing to meet the required standards of GDPR compliance need to look beyond the four walls of their own organisation and consider the risks of their third-party agreements. When it comes to the safe and secure transfer of data, third parties can often represent the weak link in the chain – in fact, they are implicated in as many as 63% of all data breaches. With the hefty GDPR fines that have been outlined, this is not a risk worth taking. It is therefore essential that you renegotiate contracts with your third-party partners to ensure that they are as equally invested in accomplishing GDPR compliance as you are.
Cross-Border Data Transfers
The digital age provides many advantages in how an organisation can use technology in order to enhance the efficiency and productivity of its operations. Yet, it is this same reliance on tech that causes a bit of a headache when it comes to analysing cross-border data transfers. This essentially means working out how and where the data in your organisation is handled. If your company uses cloud-based storage for instance, in which country are those remote cloud servers located? Similarly, do you use a global HR database that is full of personnel data? It is essential that you understand how the data in your organisation moves around and across what jurisdictions.
Although your company might not be based in the EU, if you do business with anyone in the EU and hold data about them, then you will still need to be compliant. In general, the transfer of such personal data outside of the EU is prohibited, unless it is established that the country that you’re sending the data to has its own adequate level of data protection, or that specific safeguards have been put in place to secure the information.
If your company forms part of a global operation, then it is essential to examine and understand all circumstances in which data is transferred outside of the EU. You must then ensure that for each instance where such a transfer occurs, that a GDPR-compliant process is in place.
With just over a year to go before GDPR compliance will be mandatory, it is essential that your organisation takes those first steps towards redesigning your data processes. However, a brand new internal policy won’t mean much without safe and fully protected IT systems. We can help you to develop IT security roadmaps and ensure that you meet all of your compliance regulations by installing and maintaining the latest security systems to keep your business safe. Want to know more? Get in touch today.