Next May, the UK will apply the General Data Protection Regulation (GDPR). Dubbed as the most important change in data protection of the past two decades, this ruling is set to protect all EU citizens’ data privacy, and enforce changes needed in the business sector which ensure that organisations protect people’s data.
Despite Article 50 being triggered on March 29th, the timing of Brexit is such that, no matter how things play out with withdrawing from the EU, the UK will be fully subject to GDPR regulations for some time. The nature of the GDPR is such that any company dealing with EU citizens’ data, wherever they may be located, will be expected to meet its standards.
With just over a year left before the ruling, Osman Khawaja, solutions architect at computer solutions company Misco, advises how UK businesses can prepare for changes that will occur and avoid a hefty fine.
1. Establish how your organisation deals with data
The GDPR framework aims to make data controllers and processors accountable for data privacy beaches; one of the larger changes to regulations in the UK.
It is therefore crucial to find out whether your business is a data processor or a data controller, as not all organisations involved in the processing of personal data have the same degree of responsibility. Data controllers are liable when it comes to data protection and are held responsible for protecting it.
2. Prepare your staff for changes
It is important for businesses to prepare staff on how GDPR will impact them, from day-to-day running to the severity of penalties received due to security breaches.
Carrying out regular training, both in the lead up to May 2018, and at routine intervals thereafter, will increase staff awareness of their responsibility within the legislation and encourage proactivity in safeguarding against potential cyber attacks.
For many companies, ensuring compliance once the regulation has gone into effect will be too little, too late. Proactive preparation is key to ensuring your business is not fined under the GDPR; it is vital that businesses keep staff up to date with any changes expected of them in job activity, before they occur.
3. Update processes and procedures
The biggest change that GDPR will bring to businesses is the level of accountability they have for security breaches. The legislation increases the pressure for businesses to understand the risks which poor security measures create and take steps to reducing those risks.
In order to protect data, companies will be required to implement ‘a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing’ (Regulation (EU) 2016/679). It is well worth assigning responsibilities to either an individual data protection officer, or across a dedicated team, and regularly training them on any processes you bring in. Ensure that staff across all levels, including board members, are aware of their own accountability within keeping data secure.
Under the GDPR, businesses will need to create a framework in which privacy is at the forefront of all processes and procedures. This includes making sure that safeguards and controls are in place to ensure any data is kept confidential, accurate, and easily available when needed.
If your data is supplied by an external company, set up meetings with them to ensure that they themselves are compliant. If your supplier does not properly safeguard the confidentiality, you are still liable for any security breach.
Under the new regulation, you will need to show both how and when consent was given. Customers must explicitly consent to their data being stored and processed; passive acceptance, for example through pre-ticked boxes or opt-outs, will not be enough to show consent. Your business will need to be able to demonstrate this; contacting customers and getting this ahead of May 2018 will ensure that your database going into the new regulation is up to date and imposes no risk of breaching the act.
As more customers become aware of their rights, it’s likely that you will see an increase in those asking for their data. Begin creating a plan outlining the process and staff responsibility in how to respond to these requests, including a precise timeframe which this must be done in.
It is also important to put in a process for reporting any breach of data. Failure to report a breach to the Information Commissioner’s Office (ICO) will result in a fine. Where possible, data must be reported within 72 hours, so keeping up to date records will become a necessity once the new regulation is in place.
Further reading on GDPR
