May 2018 will see the implementation of the EU General Data Protection Regulation (GDPR). There has been much hype about the new rules but Jill Dovey, IT law and data protection specialist at Muckle LLP, has some advice on how businesses can start preparing.
We’ve all seen the news. The numerous cyber-attacks and security incidents at organisations around the world have propelled data protection to the top of board agendas everywhere.
GDPR is a result of these incidents but also changes in technology, the way we interact and the vast quantities of data created every second of every day. Existing data protection laws pre-date the internet and just don’t relate to our connected world today.
Is this the end of data breaches and cold calling?
GDPR is focused on data which identifies us as individuals and seeks to protect us. It won’t stop covert tracking online, profiling and cold calling, but it will make sure they are done transparently, putting us in control of our information.
Of course, there’s always going to be an element of human error, so GDPR won’t stop all breaches. It will however help you identify where your businesses might be attacked, highlight improvement opportunities and address vulnerabilities proactively rather than reactively.
Why businesses should act now
Lots of businesses don’t know where to start with GDPR compliance, so you’re not alone if you find the prospect daunting.
The reality is GDPR will impact all businesses. Whether you are a small trader or large global operator, everyone needs to be prepared. And there are some pretty hefty fines for any businesses that don’t comply – up to €20m or four per cent of your global annual turnover, whichever is higher.
Earlier this year I spoke alongside the Information Commissioner’s Office (ICO) at GDPR – Making it real, the BCS Chartered Institute for IT’s national event, and presented on the legal implications for businesses. The ICO website should be the starting point for information for all businesses on GDPR. It has lots of accessible guides and a blog about the upcoming changes.
My top tips for getting ready
The first thing that any business should do in preparation for GDPR is map the flow of personal data through its organisation, from collection to destruction. The data map will need to be constantly updated to reflect changes within organisations and all data processes, procedures and policies will be based on this.
To help organisations prepare for GDPR, the ICO has created a ‘12 Steps To Take Now’ checklist. Step 2 advises organisations to document what personal data they hold, where it comes from and who they share it with. This should all be included on your data map.
The checklist indicates that you may find compliance difficult if you leave your preparations until the last minute. Like most things, the earlier you start the better. The exercise won’t be completed on 25 May 2018 either, when the legislation comes into force. GDPR requires you to continually review, analyse and improve how you process and handle data.
Businesses should, as a minimum, work through the checklist and document how they have addressed each point. The impact of GDPR will be different for each and every business – there is no ‘one size fits all’ option or approach.
For small- and medium-sized businesses, the ICO also has a self-assessment toolkit that can be used to determine what areas they need to focus on and address.
While there is much to consider, it is important to remember that GDPR isn’t just about protecting data. It is about protecting your business too.