With the EU’s General Data Protection Regulation (GDPR) coming into force by mid-2018, Kroll Ontrack, a data recovery and rediscovery products and service firm, warns organisations to renew their focus on data management to ensure preparedness.
By mid-2018, the UK will likely still be an EU member state and will be required to apply EU law; and the GDPR applies to all businesses and organisations that are offering goods and services to EU citizens, monitoring the behaviour of EU citizens, or processing personal data by establishments in the EU. With such a broad scope, a majority of UK organisations will need to pay careful attention to the GDPR and prepare.
Regardless of politics, legislation surrounding data protection has been in need of attention to acknowledge and incorporate the reality of a data-driven world. Modern businesses and organisations collect and analyse personal data, consumers entrust businesses with their personal data when shopping online, and organisations need to regularly dispose of end-of-life media containing potentially sensitive data.
Data protection regulations require that such personal data be kept secure, and where it is no longer needed, it must be securely and permanently sanitised from equipment.
The GDPR has teeth, and in the most serious cases, those found in breach of it face fines of up to 4 per cent of their global turnover or €100 million. For many organisations, such fines could spell financial ruin.
Lawrence Ryz, legal counsel at Kroll Ontrack, thinks the process is a far more onerous requirement than the current regime that operates under the Data Protection Act 1998 – derived from the Data Protection Directive – where processing of personal data needs to be adequate and not excessive.
Ryz continues, ‘Regardless of where data is located – computers, server rooms or in the cloud – secure and complete data erasure of personal information must be part of data protection processes.’
‘To successfully make the changes required by the GDPR, businesses should look to implement and update data retention and erasure processes and policies, applying these to the everyday workings of businesses to ensure a culture and methodology for compliance. This can be led by the senior members of a business and flowed down to all employees as well as to suppliers.’
Recommendations
Act now. These are the most significant updates to data protection laws since the current EU Data Protection Directive was passed in 1995 (which is now to be superseded by the GDPR). Getting ready for the GDPR will require time and resources to implement new processes, so get early and consistent support for the process of change from across the business.
Make sure the right people are involved. Assess who the right people are to audit, implement and maintain a new commitment to data security and protection. Often a cross-functional team including IT, Legal and Human Resources should be consulted. It is crucial that prompt action is taken and that all key stakeholders and decision makers are aware and understand the impact of the new legislation.
Find out what data and personal data you have. It is critical to map data flows to understand what data you have, where data is stored and in what systems. Planned audits and allocated resources for this work should be scheduled in sooner rather than later.
Securely delete data you do not need. Certainly there are legal obligations to maintain certain types of data. When data retention is not required, disposing of such data helps reduce risk. Data erasure should be done professionally as secure data erasure can require specialist equipment or software.
Communicate. As with any change in process, good communication is essential. This will involve internal communications to all employees and external communications to suppliers to make them aware of changes and to afford them time to amend their processes.
Understand the new changes. Individual’s rights, such as the right to be forgotten, may require enhanced processes for deleting information. Subject access requests to data controllers require that you have a plan for responding and sending this information. Under the GDPR, in most cases the data needs to be provided within one month of the request.
Consider a privacy impact assessment. When auditing the business’s processing of personal data in relation to the rights of data subjects under the GDPR, determine whether a privacy impact assessment is required. Consider whether invasive means of collecting personal data are used and if data is processed fairly and lawfully, meaning the subject is informed about the purpose of use and how the business processes personal data in a transparent fashion.