Meeting GDPR may seem challenging with the deadline of May 2018 less than a year away. However, it’s important to remember that the new regulation, though stressful in its implementation, is there to protect both your clients and your business, so careful planning and consideration is a must. Meeting GDPR is not without its challenges, as it does not actually specify ways in which to adhere to the new rules, and can often appear vague and overly-technical in places. However, with the right planning, meeting GDPR requirements can be broken down into manageable parts. One of these areas is data.
Core Principles of GDPR
When it comes to changes in the way you handle client data, there are five main points to keep in mind:
- If you become aware of a breach, you must inform both the authorities and your clients within 72 hours.
- You must maintain records of how your data has been used, shared and amended so that you can provide evidence of this to your clients if requested.
- Clients have the right to request copies of their data, and to request that their data be deleted from your records.
- You will need to have up to date permissions from all clients, expressly allowing you to process their data.
- All personal data must be anonymous or encrypted, both at rest and in transit, with access only available to authorised personnel at each end of a transfer.
The fines for non-compliance with GDPR are huge – €20 million or 4% of global annual revenue (whichever is greater) – but there are also fines for infractions. The list of infractions includes not having sufficient customer consent, not keep accurate records, and not informing the relevant parties in the event of a breach.
What is Personal Data?
The type of personal data you are storing could include anything from the basics – name, address, bank details etc. – to things like computer IP addresses and social media posts. The new regulation actually considers a far wider range of information. As such, you will need to look closely at the data you are in possession of to see what is now considered ‘personal data’ under the new regulation. To put it simply, personal data is now any information which is linked to a natural person, whether it be physical, physiological, genetic, mental, economic, cultural or social.
Meeting GDPR – Taking a Data-Centric Approach
Putting data at the heart of everything you do from now on will be essential, particularly when putting together new tech strategies, cyber security policies and plans, training your staff, and disposing of data. As a legal chamber, you are likely to hold a vast amount of personal data that could potentially be used for monetary gain by hackers. Your aim under GDPR will be to ensure that all of the data you hold is protected from the perimeter inwards and that everything is anonymous or encrypted at all times.
The following tips can help you on your way to full compliance:
- Keep your cyber security systems updated and carry out regular system checks. You could consider security as a service, which will cover all of your cyber security needs and ensure that all of your security systems are GDPR-ready.
- Update your perimeter defences.
- Update all permissions from clients with regards to the data you can access and how they allow you to use and share that information.
- Put in place effective systems for erasing information. Clients have the right to erasure under certain circumstances, if there is no reason for their data to continue to be used by you or your vendors.
- If you hold large amounts of data, you may be required to employ a Data Protection Officer.
Other information about preparing for GDPR can be found at CBSITs Intelligence Centre, where we discuss everything from planning and preparation to the potential risks to business under the new regulation. If you would like more information or personalised guidance on meeting GDPR, contact our team of professionals today.