Last year the UK government announced the Data Protection Act 1998 will be replaced by General Data Protection Regulation (GDPR) from May 2018. The previous act was drafted before the internet and cloud computing had transformed the way personal data is traded and potentially exploited by businesses. GDPR aims to not only resolve these issues and therefore vastly improve security levels, but also enforce strict fines to ensure compliance.
With less than six months until mandatory compliance, it’s vital businesses and their partners prepare for the upcoming legislation regardless of how far along their digital journeys they are. Failing to do so will incur fines which could cripple even the largest of firms – €20 million or four per cent of annual turnover, whichever is higher.
To ensure this doesn’t happen to your practice, below is a roadmap towards GDPR compliance, including four simple steps businesses must take now to ready themselves for the 25th May 2018.
Step one: Assign a data protection lead
GDPR is an all-encompassing regulatory change, so every member of the business must understand how this impacts not only their own processes, but also their clients. Companies shouldn’t simply roll out the changes and expect every member of the team to instantly understand – there needs to be a clear strategy in place which fosters change. This is why the first step for every organisation must be to assign a data protection lead if they haven’t already.
Rather than expecting every employee to digest and understand the intricacies of GDPR, the lead should be expertly trained to fully understand the regulations. They should be responsible for educating the rest of the business, as no company can afford news on this type of widespread change to come down the grapevine.
Although the data protection lead can’t be expected to wave a magic wand to make the business compliant on their own, they must have the authority to make changes and support managers when implementing changes. This will set the groundwork for GDPR compliance in advance of May 2018.
Step two: Train staff to raise awareness
Although the data protection lead will own GDPR within the company, data security is the responsibility of everyone – from the c-suite to HR and customer service. A business is only as strong as its weakest link, so it’s vital every employee is confident in their role and understands what the regulations mean for their daily processes and interactions with customers.
With the sheer volume of detail found within the upcoming legislation, this isn’t something professionals can comply with by making a few small changes. A full training programme should be introduced covering the principles of data protection, the concepts of individuals’ rights and how the business is protecting client data.
Training should also include discussions of exactly what happens if a data breach occurs and the importance of notifying the relevant parties of the breach within 72 hours. After all, even the most secure businesses can fall foul to data breaches, whether caused by emails accidentally being sent to the wrong client or through full-blown cyber attacks. This is why it’s key businesses are prepared for the worst-case scenario in the digital age.
Step three: Audit existing processes
The open discussions which take place during GDPR training sessions will highlight areas of concern from the wider workforce. Will this change the way they interact with customers? Does data need to be filed and stored differently? Do they need to move away from paper-based processes and become more digitally minded?
These and many more questions besides must be answered before a business can be fully compliant but just paying them lip service isn’t enough. Companies must carry out a full audit of existing processes and evaluate the weak links with that worst-case scenario in mind. Everything from the strength of passwords to how data is shared between colleagues and with customers must be scrutinised.
Once the potentially unsecure processes have been highlighted this can be used to overhaul the way the entire business works if necessary. This may sound extreme but for more traditional organisations still using outdated processes there won’t be a choice. It’s certainly more cost-effective than trying to transform the business after receiving a €20 million fine.
Step four: Create an action plan
Once a data protection lead has taken the reigns, trained the entire workforce and conducted an in-depth audit of working processes, there is one step left to reach the nirvana of GDPR compliance – creating an action plan. With the weak links identified, a plan must be put in place which resolves these shortcomings to ensure the business is running a tight ship come May 2018.
Any policy changes must be clearly defined, documented and shared with the entire workforce and become the new business as usual. This isn’t a case of the new processes being an ideal which will be met most of the time – if just one member of the team slips back into old habits it could result in hefty fines and potential business failure. Once fully compliant, the company will then be in a strong position to offer consultancy to their partners and customers on changes in services and communication. This is equally important, as working with a non-compliant business can be just as harmful as a company being non-compliant itself.
GDPR is one of the biggest changes in legislation to hit businesses in decades and can’t be taken lightly. With less than six months until compliance is mandatory, time is running out for professionals to ensure their business, partners and customers are secure. No company, regardless of their size or sector, can afford the severe fines in place, so acting now is the only option if you don’t want a failing business on your hands.
Further reading on GDPR
Sion Lewis is CEO of IRIS Accountancy Solutions
