You have heard the rumblings and yes GDPR is coming, but what exactly is GDPR? and how will it effect your business? The EU’s General Data Protection Regulation (GDPR) is the brainchild of the EU to bring data protection legislation into line with new, previously unforeseen ways that data is now used.
The new data privacy law will come into effect in May 2018. It is a complete overhaul of the legal requirements which must be met by anyone involved in handling personal data of EU citizens.
The goal of the regulation is to give citizens greater control over what can be done with their personal data by businesses. The enforced will be harsh, such as large fines – up to 20 million Euros or 4% of a company’s global turnover – for non-compliance.
The regulation must be adhered to by any organization employing 250 or more. This implies that many SME’s will be exempt. But that’s not true. Businesses of all size must comply if it’s involved in the regular ‘processing’ of certain categories of personal data, which includes collecting and storing as well as using personal data.n
The remit extends to paper-based as well as electronic data with a forecast 40% of non-compliance coming from paper-based practises. All businesses should support a paper security policy – including shredding facilities.
Full compliance will be essential because the powers of the directive extend far beyond the borders of Europe and apply to any business which handles EU citizen data, whether or not the business is based in the EU.
How does a business become compliant?
A lot of the GDPR obligations placed on businesses are common sense and should already be in practice in companies with solid data privacy and protection processes in place. However, here’s a quick six-point checklist for compliance requirements:
1. Appoint a Data Protection Officer – keep records of all data processing activities performed by the company. This officer must be fully commensurate with the organisation’s responsibilities regarding GDPR and have a thorough understanding of what data within your organisation counts as ‘personal’, where it’s kept, who has access to it, how to spot breaches when they occur and who to report this to. The Data Protection Officer doesn’t have to be an employee – you can outsource this function.
2. Assess your systems – Review all contracts, technology support, procedures and tools that relate to the processing, handling, storing and deleting of data to enable you to identify any weaknesses or gaps that require changes to be made.
3. Develop a strategy – Construct a new strategy that will ensure full compliance with the GDPR. This strategy may encompass new investment in technology, revise staff procedures and responsibility for data processing, create new roles within the organisation.
4. Implement a new organisation policy – The next step towards GDPR compliance is to put your plan into action throughout all levels of the organisation. Invest and introduce new technologies and systems required in the workplace and publish an informative data handling and processing guide.
5. Employee engagement – Launch your new data compliance policy to all staff; provide training, information and guides to employees so they are educated and aware of the changes taking place and their responsibility in ensuring that the company meets the requirements of the GDPR.
6. Review and improve – After launching your GDPR compliance plan, now is the time to review and improve before the regulations come in effect. Identifying any necessary improvements well in advance of the GDPR’s deadline, once May 2018 arrives your organisation will have successfully and efficiently adapted to the changes and be completely compliant.