In May 2018, the EU’s new General Data Protection Regulation (GDPR) will come into force – with significant implications for UK businesses. The new regulations raise the bar when it comes to the cost of security breaches – not only must the company inform all individuals affected by the security breach, as well as the Information Commissioner’s Office (ICO), within 72 hours but the fines can be up to €20 million or 4% of global revenue.
However, GDPR compliance demands far more than breach honesty. It demands organisations take a more proactive approach to managing and safeguarding data – and that requires both new data management processes and improved employee education.
Key demands of the new data protection regulation include:
- Individuals must give explicit consent for personal data to be collected and used, and must understand how this information is going to be used.
- Companies must clearly stipulate the legal channels available should data-processing not comply with its agreed-upon use.
- All personal data must be erased after a prescribed period of time.
There are a number of steps organisations need to take today to prepare not only for GDPR but to also ensure the business is operating in line with existing data requirements, such as the Data Protection Act.
Allocate Resources
A senior member of staff needs to be responsible for data security – with the value of potential fines this is now too big an issue to leave to junior employees. Ensuring a key individual both understands the requirements of GDPR and is empowered to roll out essential user education about data management and security is essential.
Privacy First
Whilst data sharing has become a priority for organisations looking to improve business performance, the reality of changing regulations means that organisations must take a privacy first approach to safeguarding information. From staff awareness to data storage and disposal, the safety and security of sensitive information should be a priority.
A secure approach to data disposal should already be in place to meet existing requirements; however the requirements of GDPR bring disposal into sharp focus and it will be essential to have a clear, auditable approach to destroying data.
Define Data Processes
There are a number of key aspects of GDPR compliance that need to be embedded within operational processes.
- Data Security, Management and Disposal: What security measures are in place to prevent data breach and how often are they reviewed? What is the policy for secure data disposal and does it deliver the auditability now required? Ensuring these processes are effective – and demonstrably so – is essential.
- Information consent: Ensure all clients are informed about the data being collected and held; and how it will be used. Clarify the ways in which consent will be attained, how that is recorded and how the business will respond to client questions about consent.
- Breach management and reporting: With just 72 hours to report a breach to the ICO, as well as affected individuals, organisations need to put in place – and test – a clear strategy for responding to data breaches.