The EU’s general data protection rules (GDPR) come into force on the 25th of May 2018, at time of writing that’s just under 8 months away.
The rules are already in the UK statute books, and the ICO has confirmed they will continue post Brexit. In short, you need to be prepared. But, and it’s a big but, too many people aren’t aware that they need to be compliant – recent surveys have stated 43% of senior execs at major corporations and 84% of small business owners don’t know what GDPR is, or that it is coming into effect.
And with fines significantly increasing to a potential €20 million or 4% of global turnover (whichever is greater) for serious breaches, this lack of awareness is worrying – especially given 39% of companies who know about it fear it could put them out of business.
And it’s not just breaches – under GDPR, an organisation can be fined if it is found to have prepared properly for GDPR.
UK Google searches for ‘GDPR’ since January 2015. Is awareness finally kicking in?
Google search data for “GDPR” provides good and bad news. Good news, awareness is growing, searches have increased by 25% in the last month alone. Bad news, this jump means it started from a worryingly low level – and being left too late.
So, what should you have in place? And what should you be thinking about?
GDPR significantly tightens rules around personally identifiable information (PII). Consent needs to be unambiguous – tick boxes can’t be pre-filled or near Ts&Cs tickboxes, and old consent (over 1 or 2-years’) isn’t consent. And consent needs to be obtained for all communications. Furthermore, data needs to be effectively anonymised / pseudonymised to minimise risk in the event of a breach.
So, the first step is a review of the type of data held. Is it identifiable? Documentation is needed, showing how it’s used (marketing/HR…) and how it was generated (your own/third party).
Once completed, consider if the data is appropriately consented for its intended use? Then, create a plan to understand how to get these data fit for purpose under GDPR.
It’s vital to have this done as early – it will affect operations and logistics, with changes having knock-on effects on systems, and processes – possibly resulting in disruptive / costly re-coding.
Review of PII data
It’s likely your staff’s PCs will have unauthorised data on – we’ve not done an audit where it hasn’t been there.
For PII data, set up a central asset register to understand the knowledge in the business, how it is used and who has access. As well as how it was received, how long it should be kept for, and deletion confirmation for data.
This inventory should also assign responsibility to specific people (or positions) in the company; creating a paper trail for when something goes wrong, and helping prevent it happening. It will also foster a cultural change so people know they should declare data on their systems.
Understand legitimate interest
There are exemptions to consent, you can communicate with existing customers if a legitimate interest exists – this includes allowing you to run your business. And you need to justify this – with the process well documented.
Unfortunately, legitimate interest is a minefield, with many in the data compliance industry seeking clearer guidance. A recent DMA poll suggested 1 in 4 marketers are concerned about how it can be applied, unsurprisingly the topic was probably the biggest of our three key unanswered questions in a recent GDPR blog.
Next, audit your security procedures. Are pseudonymisation techniques (eg hashing) used? Can only the right staff access PII data? Are external servers password protected? Are laptops encrypted?
You will need to document policy for each element of security – from archiving procedures, to password-protected sftp data transfer protocols.
If you’re a small organisation visit the government-backed Cyber Essentials, designed to help protect them against the usual attacks.
Contracts with third parties
Your third parties – say a list provider – will play a key role in you being compliant. And therefore liability needs to flow to them regardless of whether they are providing or receiving data.
Ensure clauses in your contracts take GDPR into account – and use these to bind bound third parties to GDPR.
Like suppliers, your staff also need follow GDPR policies. Clauses must be in contracts – as a company wide stipulation, not just for those working with data.
For older contracts, a 1-page addendum should be created and signed by all, so each employee adheres with the law.
HR policies need to updated too, for example deliberate misuse of data needs to becomes a gross misconduct issue. And ongoing data protection staff training needs to be in place.
The above audits can be carried out internally, or with the assistance of an independent expert such as ourselves.
Either way, the end goal is to understand where the gaps are – with a plan and project team in place to close the them. This team will need to bring together skills from across the company, with many disparate areas of knowledge. And should be led by a data compliance officer (or IT director / legal expert / chief data officer if not yet in place).
Data protection officer (DPO)
The next seven months will largely be dictated by the results of the gap analysis. However, In addition to this many companies will need to assign a DPO, and soon.
GDPR stipulates those organisations over 250 people, from the public sector, or who work primarily in data – employ a DPO. For others, a DPO is highly advised if you are working with sensitive data – be it medical trials, union membership, religious affiliation, sexuality… The DPO needs to be able to report (potentially very expensive) issues to the board and have them act, so gravitas and confidence is essential.
If you’ve not already done so, hiring one urgently. There are too few with experience, and they are in demand. For some this may require a full time DPO, for others, this can be an outsourced or part-time function. And data compliance companies, such as ourselves, can help you find a strong DPO or additional staff to prepare for GDPR.
The auditing process
Recent surveys have reported that just 31% believe they’re ready for GDPR, and subsequent analysis suggests this is due to overconfidence, with figures being closer to 2%.
Documentation plays a significant part of preparing for the new data protection laws, and an organisation can be fined if they have not got themselves fit for purpose. There is a big demand that policies, processes, inventories… everything is documented.
The clock is ticking, if you’ve not already started you will need to get going urgently. Begin your audit, you can do this either inhouse, or via a consultancy. Either way, begin soon.
By Lisa Chittenden, from Data Compliance Doctors
GDPR Summit Series is a global series of GDPR events which will help businesses to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.
Further information and conference details are available at http://www.gdprsummit.london/