Most businesses will have preparations underway for the more stringent climate of data privacy that the EU’s General Data Protection Regulation will herald.
These preparations centre upon accommodating a new culture of consent, with HR processes and protocols adapting so that data is collected, stored and processed in a way that prioritises transparency and data security.
But how are the big businesses dealing with this journey towards compliance?
Avoiding a data breach
In the States, GDPR has become a priority for 92% of multinationals, with 68% committing between $1m and $10m towards preparation, according to PWC studies. The primary reason for this is fear of a data breach; those found culpable under the GDPR stand to get hit by fierce fines, miss out on valuable revenue and lose consumer confidence.
Failure to notify regulation authorities of a data breach under the GDPR could result in a fine of up to 10 million euros, or 2% of annual turnover, whichever is greater.
Greater administrative burden for a compliant, safer future
To uphold data security and avoid a data breach, companies will have to revamp their data records, ensuring that only information that has been collected in a GDPR-compliant way is held on databases. This will be an ongoing and painstaking procedure, but firms will streamline, improving the efficiency and integrity of their data stores in the long term.
Data subjects will also have the right to be forgotten and the right to update or amend their personal information.
A new data protection notice
US firms are meeting these requirements by issuing a new data protection notice that’s fit for GDPR purpose and unique to each organisation. The next step is to shore up prevention measures against any potential data breach.
The Information Commissioner’s Office advises that companies elect a dedicated body to manage this crucial area, and ensure that all staff know how to recognise that a breach has taken place.
Organisations should then:
- have a data breach assessment process in place, so that risk to individuals can be calculated and that endangered persons can be notified without delay
- know what at-risk individuals need to know about the breach, and be able to offer advice and protection from the breach effects
- have a process in place so that the ICO is informed of the breach within 72 hours of it occurring, even if all the details are not yet known
- be able to formally document and securely record all instances of a data breach.
Ahead of the pack
In Britain, marketingweek.com. reports on how Cancer Research UK is leading in terms of readiness for GDPR. The charity was one of the first organisations to implement the active opt-in to data usage, giving data subjects more awareness and more control over how their details are used.
The strategy of CRUK began with creating a cross-functional GDPR team and steering committee to navigate the governance of marketing. While the charity’s compliance boss heads this committee, another team studies how GDPR regulations will play out across departments and regions, ensuring that resources are there when needed.
Teams and external suppliers are kept in the loop of an ongoing compliance conversation that educates all stakeholders as the May 25th deadline approaches. CRUK has spearheaded efforts with a full data audit. Training is another key area; only members of staff who are GDPR trained will be allowed to process data.
The charity’s director of individual giving, Graham White says:
“Essentially it is finding out what we need to know, making the changes and then making sure people are properly trained on it. The GDPR message is being very clearly communicated from the senior team to everyone here so that everyone is on board and when it comes to making time for doing this, it is a priority.”
Keep the ball rolling
Different firms will be at different stages of the journey to compliance, but the key message is still very much about business owners educating both themselves and their teams so that change is driven by a culture of awareness.
You can get your questions answered at GDPR Conference Europe, a one-day event packed with insight from key UK authorities on the forthcoming legislative changes.
At GDPR Conference Europe features 10 keynote presentations and live panel discussions will provide case studies, specialist guidance, actionable steps to compliance and much more.
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/