Sign up to our newsletter
The General Data Protection Regulation (GDPR), which will be introduced on May 25th 2018, is set to have an impact on all member states of the European Union, as well as on nations handling the data of EU citizens.
However, with just over a year to go, research from the DMA suggests that over a quarter (26%) of marketers feel their business is unprepared for the GDPR.
So what can companies do to ensure they are compliant? Here are 10 simple steps organizations can take.
In a blog last year, Steve Wood, head of international strategy and intelligence at the Information Commissioner’s Office (ICO), allayed concerns over Brexit, stating that “once implemented in the EU, the GDPR will be relevant for many organizations in the UK”.
It means that while the UK may be preparing itself for an exit from the EU, many of its businesses and organizations will still be subject to GDPR compliance (and, after all, enterprises in the UK will still be handling EU data).
It is important to ensure that all the important decision makers within your organization are aware of the implications of GDPR and what it means to their everyday operations.
According to Gigamon’s 2017 UK Cyber Readiness Survey, only 41% of IT professionals said they were “fully aware” of the implications of GDPR, while 9% said they had no awareness at all.
These figures suggest there is clearly some work to be done to ensure all organizations are on board with the new proposals.
Under the current EU Data Protection Directive, only data controllers are liable when it comes to data protection compliance.
But as the ICO explains, GDPR places direct statutory obligations on data processors too.
It is therefore important to establish whether your organization is a data processor or a data controller, bearing in mind it could be both.
Auditing your current methods is one of the best ways in which to prepare for GDPR, meaning that a thorough understanding of how your organization deals with data is paramount.
It’s important to establish where personal data is being stored, before assessing the security of that location, who is responsible for controlling that data, and whether it is being shared.
Getting your IT department involved with this process is crucial and will give you a better idea of the current capabilities of your organization.
Examining any previous data breaches to your system will give you a clearer idea of your organization’s capabilities in reacting to future attacks, and offer a better picture on whether those procedures are capable of meeting future requirements.“Data breaches will need to be reported within 72 hours of being discovered.”
One of the standout measures set to be introduced under the GDPR is that data breaches will need to be reported within 72 hours of being discovered, along with information detailing the nature and severity of the attack.
With the threat of significant fines for any organization that fails to comply, there is ample incentive for organizations to get their houses in order.
According to the IAPP, DPOs will be essential for public authorities or other organizations engaged in activities regularly monitoring data subjects on a large scale.
The DPO acts independently and will report to the very highest level of management within the organization.
Their main responsibility is to have an impeccable understanding of GDPR, and to implement the requirements needed in order to gain consent.
One of the key takeaways from GDPR is the strengthening of rights for individuals, including the right to be forgotten and data portability, which means you could be required to provide data to an individual that can then be taken to a competitor.
Businesses are obliged to promote these rights, so it is important to ensure there are procedures in place to make this possible.
The GDPR aims to offer more clarity when it comes to the issue of consent. New measures will require companies to gain an explicit statement or “clear affirmative action” when it comes to data processing.
Companies will be subject to new measures restricting the ability of children to give their consent to data processing without parental permission.“One of the key takeaways from GDPR is the strengthening of rights for individuals.”
It is therefore worth examining what practices are already in place when it comes to making data subjects aware of how their information is going to be used and processed.
Many of the organizations affected by GDPR will be operating internationally, and may subsequently be subject to other directives that go beyond the GDPR.
It can be tricky to work out which data protection supervisory authority takes the lead when a complaint is investigated, but according to Article 56 of the GDPR, it is determined by the location of the organization’s main administration in the EU.
This can be difficult to work out for companies with multiple sites, so if there is any uncertainty, it is important to establish where significant decisions regarding data processing are made, as this is likely to be your lead supervisory authority.
All of these considerations can place a great deal of strain on an organization’s infrastructure, so it is therefore essential that companies allocate added resources in which to meet these demands.
A recent WLS whitepaper warns that without planning ahead, businesses could be “left with new requirements to implement, without having set aside appropriate resources necessary to achieve compliance”.
Allocating resources at the beginning of the process is therefore a great way of easing any potential pressure later on.
For more information on the General Data Protection Regulation, ESET has a dedicated page to help ensure that when the time comes, you have everything covered.
Author Editor, ESET