The Information Commissioner’s Office (“ICO”), data protection professionals and organisations are preparing themselves for the implementation of the GDPR on 25 May 2018.
With fines of up to 4% of annual worldwide turnover for failing to comply with the GDPR the price of non-compliance is costly. Tougher sanctions are not the only changes taking effect which organisations should be aware of. To name but a few changes, the GDPR will have a wider territorial scope; include a European-wide requirement to notify breaches to supervisory authorities; involve scrutiny of a greater volume of data and for many organisations will mean the appointment of a Data Protection Officer.
The impact of the GDPR is likely to be different on every business. It is important that organisations begin to assess their readiness for the GDPR now given the potentially substantial requirements to ensure compliance. Below we provide a selection of current resources published by the ICO, as well as European level guidance from the Article 29 Working Party (WP29) guidelines, which make a useful starting point for any organisation.
The ICO has provided:
- a general overview of the GDPR to help organisations understand the new legal framework;
- relevant GDPR provisions in their revised Privacy notices code of practice;
- a guide for organisations of 12 steps to take now.
The ICO is identifying what further guidance is needed as a priority and is expected this year to publish guidance on contracts and liability and consent.
The WP29 includes representatives of the data protection authorities from each EU member state. The WP29 has now adopted guidelines, with frequently asked questions, on the following GDPR topics:
- Data portability
- Data Protection Officers
- Identifying a controller or processor’s lead supervising authority
This guidance is only preliminary, with comments by invited interested parties currently being considered by the WP29.
The WP29 intends to produce guidance documents on the following over the course of 2017:
- Administrative fines
- High risk processing and Data Protection Impact Assessments
- Notification of personal data breaches
- Tools for international transfers
How CB Comply can help
Our dedicated CB Comply team has substantial experience working with SMEs on their data protection requirements. We provide a range of advice and assistance to support you in identifying and addressing the compliance challenges posed by the GDPR, from an initial discussion on your compliance gaps to a detailed audit, flexible and tailored specifically to your business, establishing the state of your current policies and procedures.
Once a thorough assessment of your business has been carried out and the compliance gaps have been identified, we will provide recommendations to ensure compliance is achieved, or we can work with you to implement the changes.
We have also identified a small number of experts in data security who can help you to establish the level of vulnerability of the data in your business and offer solutions to improve security, where needed.
Complying with the GDPR could be a significant task. Your organisation needs to start now to minimise the risk of a regulatory breach and a potentially large financial penalty.