A recent study has suggested that by 2020 data breaches will have affected almost 25% of the world’s population. Given the increased volume and sophistication of data branches and the looming deadline for compliance with the General Data Protection Regulations (GDPR), it is now of paramount importance for organisations to ensure that they will be GDPR compliant on 25 May 2018.
Here Paul Walsh and Paul Twigg provide ten top tips to assist in ensuring you are compliant with the regulations.
1. Try to remember the positives
It may be hard to remember when reading the remainder of this piece but GDPR can be viewed in a positive light. It harmonises European data protection laws making the transport of data easier, will encourage businesses to take data protection and cyber security more seriously and is designed to be able to cope with advances in technology.
Being GDPR compliant can also be used to give you a competitive edge and can provide you with a selling point to your customers, reassuring them that you take data protection seriously, hold their data securely and comply with stringent European legislation.
2. But beware of the fines!
That said, the headline grabbing change to data protection legislation in the UK is without doubt the increased fines which the Information Commissioner’s Office (ICO) can issue for data breaches.
Breaches which are considered less serious (relating to record keeping and data protection officers for example) can be punished by fines of up to 2% of annual worldwide turnover or €10,000,000, whichever is the greater.
More serious breaches (relating to a data subject’s rights or the data protection principals for example) can be punished by fines of up to 4% of annual worldwide turnover or €20,000,000, whichever is the greater.
To put this into perspective, Talk Talk’s well publicised £400,000 fine in 2016 could have increased to £59,000,000 under GDPR.
As well as the financial sanctions the reputational damage which can occur following a data breach can be catastrophic.
3. Educate, educate, educate
With that in mind it is crucial that everybody in your organisation understands their obligations under GDPR and amends their practices so that they are compliant from 25 May 2018. It is important all staff understand the concept of personal data, the main requirements of the GDPR (especially in relation to maintaining records and notification requirements for example) and what to do if they have concerns.
This is likely to be a huge operational challenge for most organisations and given the looming deadline for compliance, one which should be tackled sooner rather than later.
4. From the top down
GDPR is a legislative change which could have a huge impact on your organisation if you get it wrong. It is therefore crucial that the education process referred to above begins at the very top level of your organisation and that there is collaboration between the boardroom and the IT department.
Management/director buy-in is crucial to your organisation being GDPR complaint on 25 May 2018. It should be on every board meeting agenda between now and 25 May 2018 and should remain on the agenda post implementation of GDPR to ensure continued compliance.
Whether or not you are required under GDPR to instruct a data protection officer, it is good practice to appoint somebody senior who will be responsible and accountable for compliance with GDPR.
5. Audit your data
As part of your preparation for GDPR, it is important to review the personal data which your organisation holds and in particular consider:
- where it came from
- whether ‘opt-in’ consent was obtained and/or whether the consent needs to be refreshed
- why you hold the data and/or whether it can now be securely deleted
- how you use the data, and
- who you share the data with.
It is then important to review the results of the audit and consider whether the data is held in a manner which is compliant with GDPR.
6. Review your policies
As well as reviewing the personal data which you hold it is important to review your organisation’s policies and procedures to ensure that the procedures in place are compliant with GDPR. For example, subject access requests now need to be complied within a month and you cannot normally charge for complying with the request. Your new policy must reflect this.
You should also review, for example, your policies and procedures in relation to privacy notices and responding to individuals’ requests for information about the data you hold about them.
7. Document, document, document
There is a new ‘accountability’ principal within GDPR. It states that your organisation will be responsible for showing how it complies with the principles of GDPR. The easiest way to do this is by having in place policies and procedures, documenting your review of these policies and procedures and your data audit and going forward by documenting the decisions you take in relation to processing activities.
In short, if the ICO come knocking it will be for you to show you have complied with the GDPR principles. The easiest way to do this is by producing your thorough records.
8. Data processors beware
Under the current regime there are no direct obligations on data processors however that all changes with GDPR. Such obligations include maintaining appropriate records (see above), the enhanced breach notification provisions (see below) and the requirement to implement appropriate security measures. It is likely that data controllers will introduce contractual requirements for processors to comply with the majority of the provisions of GDPR.
You should consider whether your organisation is a data processor and become compliant with your new obligations or, if your organisation is a data controller, consider whether you need to amend your contracts with any data processors you use.
9. Don’t forget to notify
GDPR introduces much stricter data breach notification rules which must be complied with, should a data breach occur. Organisations must notify their supervising authority of all data breaches without undue delay and where feasible within 72 hours of the breach unless the data breach is unlikely to result in a risk to the individuals.
If the data breach is likely to result in high risks to the data subjects then the organisation must inform those individuals without undue delay (unless an exception applies). It is unclear at the moment as to what will class as likely to result in ‘high risk’ to the individuals but if, for example, full credit card details have been stolen it is likely to be considered as ‘high risk’.
As above, it is important to ensure employees are aware of their obligations to report data breaches and also for organisations to consider the logistical/administrative burden of reporting, should a data breach occur.
10. Rapid response plan
Linking a number of the tips above together is the final tip, which is incredibly important in light of the new obligations and enforcement provisions of GDPR. It is essential that your organisation has a rapid response plan in place and that all members of the organisation are aware of it so that, should a data breach occur, everybody knows who to contact and what steps they need to take. Given the increase in the volume of cyber attacks and increased media attention on them, this is more important than ever.