As May 2018 and with it the introduction of GDPR looms ever closer, we will be bringing you a series of blog posts which we hope will inform and help you unpack this EU directive and decide on the appropriate course of action for your organisation. If you missed our first post on GDPR, you can catch it here: The GDPR and You.
Why is this even a thing?
To get to the heart of things it always helps to understand the ‘why?’ element of the equation. So why GDPR – we already have a Data Protection Act in place? While this is true, the current Data Protection Act does not cover many of the enormous advances in technology that are now part and parcel of our daily lives, such as social media and the Internet of Things. These entities use our data and as such must be accounted for in the legislation.
Data is in effect a currency, making it a valuable commodity and valuable commodities always face the threat of theft and misadventure when they fall into the wrong hands. This past year, along with all the other doom and gloom in the news, there was a constant slew of cyberattacks which comprised of hackers essentially holding the data of huge companies in many countries hostage for ransom. This suggests that businesses need to get a lot better at processing, storing and protecting their customer’s data. Take a look at this NBC report on the Equifax cybersecurity breach which could potentially affect half, yes that’s right HALF the US population.
Who needs to pay attention GDPR?
Any organisation which holds data on EU citizens must be compliant with the legislation, including the UK; Brexit is not an exemption presently. In effect this directive is going to impact all businesses and while the scope of the exact implications will vary from business to business depending on size and the manner in which data is used, there are some elements which all organisations must take on board.
OK, so what exactly do I need to do now?
In our first blog, we outlined some of the basic steps every business (whether they are a 4 person SME or subsidiary of an international corporation) will need to implement. For a reminder, just click on The GDPR and You.
The following are some measures that you need to plan to implement:
- Take stock – your nominated Data Protection Officer (DPO) will need to audit the business and establish why and how data is used in each case, delete any old records which are no longer in use and verify any third parties you work with to see if they are compliant with legislation.
- The two P’s (Planning and Policy) – Your DPO should create a project plan to ensure that the business is ready for May next year. This individual will also need to ensure that the company has a policy for data handling and processing. This should also include processes for handling data breaches and processing any requests for data from individuals. All staff should be familiar with the policy.
- Get out and communicate – A lot of businesses are in the same boat when it comes to this issue. Don’t shy away from discussions with stakeholders and people you meet at events. Naturally, you should exercise your judgment in these scenarios but you won’t be giving away state secrets and you may pick up some practical tips on how to manage this. There are plenty of workshops being run around the country so it may be worth booking onto some. Your local chamber of commerce may be a good port of call for workshops taking place in your region.
- Keep up to standard – This might not be a realistic option for all businesses. If feasible however, you may want to consider implementing a certified framework for information management. This will provide reassurance to your clients and keep you ahead of the curve in this area. The ISO 27001 standard is recommended. Read more here: https://www.certificationeurope.com/certification/iso-27001-information-security. If you are considering this option you will need to assess which one is most applicable for your organisation.
- Here are some resources which you may find useful:
GDPR Awareness Coalition – http://gdprcoalition.ie/
Data Protection Commissioner – https://www.dataprotection.ie/docs/Home/4.htm
Grant Thornton Insights – https://www.grantthornton.global/en/insights (this is not a dedicated GDPR resource but they do produce some quality content)
A Change is as Good as a Rest
Change can be daunting but once we all get familiar with GDPR we should have a culture which advocates due care and diligence with data. This can only be a good thing. We hope you enjoyed our latest instalment on the topic, please note it is not intended to be a prescriptive list so you will need to do your own research also.
To finish, Cyber Streetwise came out with a very clever campaign a few years ago which highlights the importance of keeping data secure, here is one instalment of it. Enjoy! https://www.youtube.com/watch?v=xUK6MHUi6gc&feature=youtu.be