8 steps towards better GDPR preparation
The introduction of the EU General Data Protection Regulation (GDPR) may be more than a year away, but many businesses are already considering the implications of failing to comply.
The GDPR aims to strengthen data protection and privacy practices across Europe, which will affect organisations on the continent and any others that do business with European companies.
Failing to comply comes with heavy penalties; national data authorities will be able to levy fines of up to four per cent of an organisation’s annual revenues or €20 million – whichever figure is higher.
As the GDPR’s introduction draws nearer, compliance departments will be preparing for the changes, but what measures should businesses be taking? Here are some of the steps that the Information Commissioner’s Office has published regarding best practice.
1. Information audit
Organisations must document the personal information they have stored, where this information originated from and who has access to it. In some cases, this may require an information audit to ensure everything is accounted for.
2. Hire data protection officers
Businesses are likely to require dedicated data protection officers to comply with the GDPR, and they will have responsibility over all personal data held within the enterprise. Where these individuals are situated within the corporate hierarchy must also be confirmed.
3. Re-evaluate consent processes
Obtaining proper consent for personal data is a significant part of the GDPR, and the rules have become much more stringent. This will force company owners to assess how they are currently seeking permission to use information and make changes where necessary.
4. Strengthen data breach protocols
The GDPR requires organisations to report data breaches to multiple authorities within 72 hours of finding out they have occurred. Any departments that are not able to comply with this deadline will need to reassess their existing set-up.
5. Boost board awareness
The GDPR is a significant change for many businesses, and complying with the directive should be an important issue at the board level. Corporate governance professionals must ensure their senior executives are aware of their obligations and the potential fallout of failing to meet standards.
6. Assess data processing legality
Organisations often carry out data-processing tasks, but these activities are set to come under much greater scrutiny once the GDPR is implemented. It is therefore important to identify what legal basis businesses have for data processing and document the reasons.
7. Amend privacy notices
Greater respect for privacy is a core part of the GDPR’s purpose, so any privacy notices that organisations currently use must be thoroughly reviewed to ensure they comply with the directive. If not, businesses need to implement a plan for resolving any issues as quickly as possible.
8. Draw up Privacy Impact Assessments (PIA)
Enterprises must produce more a comprehensive paperwork trail regarding their data and privacy policies – and PIAs are just one example of this. These documents will show that businesses are aware of data risks to their operation and list any measures taken to mitigate them.
These are just some of the preparations that businesses should consider before the GDPR is introduced. However, recent research has suggested that organisations have a long way to go before compliance with the upcoming directive becomes a reality.
How prepared are businesses?
Organisations may feel they have plenty of time to prepare for the GDPR, but this might not be the case given the complexity of the changes and potential overhauls that could be required within some operations.
A recent survey from the Centre for Information Policy Leadership (CIPL) and AvePoint, published in ITPro, claimed 23 per cent of respondents would not be allocating any additional resources to dealing with GDPR’s introduction.
Meanwhile, 57 per cent said they had discussed extra budgets, headcounts and other measures, but no firm decisions had been made.
“Companies that I think are in the best position to respond to GDPR right now… are companies that are already heavily regulated, probably are the closest to having a programme that would be ready to go – such as financial services,” stated Dana Simberkoff, chief compliance and risk officer at AvePoint.
“But that does not represent the vast majority of even large companies.”
Looking to the future
Clearly, the GDPR is set to have a massive effect on organisations across Europe and beyond, and those that are slow to respond could find themselves in a troubling position.
Bojana Bellamy, president of the CIPL, added that the GDPR marks a generational shift in the way organisations will have to manage data and privacy laws.
“The new law will affect the risk profile of organisations, impact their management, use and sharing of data, as well as their IT systems and infrastructure,” she explained.
“But the GDPR also represents an opportunity for organisations to consider data privacy compliance more strategically and holistically, as it becomes key to their data strategy and the digital transformation of their business.”
Is your organisation ready for the GDPR? Or will you need to strengthen your compliance, security and other corporate governance departments over the coming months?
Our 2016 Compensation and Market Trends Report combines our review of the prevailing conditions in the compliance recruitment market with the results of our latest employer survey.
Image: KrulUA via iStock