The fact that you're reading this blog means that you're probably familiar with the EU GDPR, the possible impact it may have on your business, and the consequences should you find yourself on the wrong side of non-compliance – especially if that non-compliance is highlighted as the result of a breach in which identifiable personal data is compromised. I recently conducted a roundtable lunch where the topic of conversation was “Preparation for the EU GDPR.” The conversation proved to be lively but there were two very interesting discussion points that somewhat concerned me:
- 90 percent of those businesses represented by the 40+ luncheon attendees had not started any form of preparation for the GDPR and had no immediate plan to do so.
- A large portion of those attending believed that the business they represented would wait to see how GDPR would handle the first instance of a breach. Many believe the threat of fines up to four percent of annual turnover is exactly that – just a threat – while many more questioned how these regulations and fines could be enforced against China and other countries outside the EU.
I wasn’t entirely surprised. When you consider the myriad of industry and legislative regulations that have appeared over the past 20 years, not to mention the number that have a far worse bark than bite, one could almost describe these standards as “sheep in wolves clothing.” Despite the picture painted above, I’m still of the opinion that many organisations will dedicate time, resources and money to meet the requirements of the regulation. If not because they see GDPR compliance as a positive step forward in their overall security posture, then because the cost of compliance is going to be far less of an impact to their business than the fine should they be breached and found non-compliant. The UK Information Commissioner’s Office (ICO) suggests organisations that currently comply with existing UK data protection law are more than likely to be largely compliant with GDPR, but they stress that a number of the Regulation's new requirements will be more onerous for data controllers. To help organisations prepare for GDPR, the ICO also published a 12-step guide, a full copy of which can be found HERE. A summarised version of the guide is provided below:
- Awareness – Ensure that decision-makers and key members of the organisation are aware that the law is changing and that they appreciate the estimated impact to the business in terms of policy, process, time, resources and potential fines for non-compliance.
- Information Held – Audit and document what personal data is held within the organisation or by third-parties on behalf of the organisation. Understand the information flow, including where it came from, how it’s protected and with whom it's shared.
- Communicating Privacy Information – Review current privacy notices and create a plan that highlights any necessary changes before the GDPR takes effect.
- Individuals’ Rights – Review procedures to ensure organisations address all of the rights that individuals will have under the GDPR:
- The right to be informed.
- The right of access.
- The right to rectification.
- The right to erasure.
- The right to restrict processing.
- The right to data portability.
- The right to object.
- Rights in relation to automated decision making and profiling.
- Subject Access Requests – Update procedures, plan how to handle requests within the new time frames, and provide the requested information.
- Legal Basis for Processing – Review data-processing activities, as well as identify and document the legal justification for each type of activity.
- Consent – Review how the organization seeks, obtains and records consent. Also, consider whether any changes are required.
- Children – Consider implementing new systems to verify individuals’ ages and to gather, where necessary, parental or guardian consent.
- Data Breaches – Make sure appropriate procedures are in place to detect, report and investigate data breaches within the new time limits.
- DP by Design and DPIAs – Become familiar with ICO guidance on Privacy Impact Assessments and determine how and when they should be implemented.
- DPO – Designate a Data Protection Officer, if required. Determine where the role will sit within the organization’s structure and governance arrangements.
- International – If the organisation operates internationally, determine which data protection supervisory authority will be responsible for its regulation.
Regardless of whether you consider the GDPR “unnecessary government interference” or “industry best practise,” it will come into effect on 25th May 2018, and if applicable, you could be liable to massive financial penalties if you suffer a data breach and are then found to be non-compliant. You, therefore, have every incentive to learn as much as possible about the GDPR in the meantime. To help organizations prepare themselves for GDPR, Tony Morbin, Editor-in-Chief for SC Magazine UK, and I will be hosting a webcast entitled "EU GDPR Planning – Prioritising Your Checklist" on December 15, 2016, at 02:00 GMT. We will discuss what organizations can do to plan for GDPR during our presentation, including what priorities they should keep in mind. Those interested in attending the webcast can register here.