Find out how the General Data Protection Regulation (GDPR) could have a positive impact on your business and get started on your GDPR journey.April 19, 2018
Are you caught in the GDPR whirlpool, drowning in a sea of whitepapers, reviews and other publications surrounding GDPR compliance and not really knowing where to start. Well, lift your head up for a moment, take a deep breath and read on.
The EU General Data Protection Regulation (GDPR) comes into force on 25th May 2018 and will replace the UK’s Data Protection Act (1998). It applies to organisations who process ‘personal’ and/or ‘sensitive personal data’ within the EU and who have day to day responsibility for data protection. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
Your first impression of the GDPR may be overwhelming especially with the technical jargon and phrases stipulated in the regulation and the threat of fines of up to 4% of annual global turnover or €20 million if you are in breach of it, but don’t panic!
Why not kickstart your journey here by following these six steps. This will help you identify your regulatory obligations as a business and the actions you need to take to become compliant.
To help understand the regulation, start by reading our Helpful Information document which defines some key terms and provides a concise overview of the regulation. This has been derived from the Information Commissioner’s Office (ICO) Guide to the GDPR. For a more in-depth understanding refer to the full guidelines on the ICO website here
Alternatively, you may choose to seek specialist advice or enrol on a certified EU GDPR training course which can help you gain the knowledge and operational skills to implement an effective compliance programme within your business.
The key people in your organisation should be involved in planning your approach to GDPR. It may be useful to look at your approach to governance and how you manage data protection as a corporate issue.
Use a simple, methodical approach to extract the key components of the regulation that are pertinent to your business and put some fundamental measures in place. Even if you are not fully compliant by the deadline, it will demonstrate that you are working towards compliance and not just burying your head in the sand!
Carry out a data mapping exercise to identify what type of personal data you are processing and the flow of data through each of your departments. Ask the following questions to find out how you access and store data and the means by which you share and secure it.
What personally identifiable information (PII) do you hold?
- Names, addresses, dates of birth, photographic file or magnetic tape images, digital images, finger prints, bank card/account details, payroll details, driving license number, passport number, NHS or National Insurance number, DBS forms, email and IP addresses.
How did you obtain or capture the data?
- Face to face, via a third party, phone, SMS, fax, online forms, electronic format (see PECR guidelines), surveys, signed contracts, scans, photocopied documents, digital voice or sound recordings, digital images, photographic file or magnetic tape images, hardcopy images.
How are you obtaining and storing the data?
- Using desktops, laptops, tablets, mobile phones, audio devices, digital voice recorders.
- On hard disks, memory sticks or other storage devices.
- On premise (network/servers) or in the cloud.
- In the office, public places, at home; using WiFi (home or public) or via a VPN (Virtual Private Network).
- Via CRM systems, accounts packages, databases, spreadsheets, email distribution lists.
- Hard copies/files (in an open office or securely locked cabinet).
What do you need the data for?
- To contact an individual or group of people directly regarding a product, service or as an advisory.
- As an intermediary or third party processor.
- For sales, marketing or advertising purposes.
- To process data for reporting purposes i.e. surveys or statistical reports.
Who is accessing the data?
- Employees, professionals, the general public, third parties, adults or children.
How are you processing the data?
- Is it processed by individuals or automatically? Automatic processing is “by means of equipment operating automatically in response to instructions given for that purpose” (DPA 1998)
- Determine who in your organisation currently processes data and establish who is, or will be, responsible for controlling it. Ensure these individuals are aware of their responsibilities under the GDPR or appoint individuals within your team to fulfil these roles.
- What processes are in place for processing that data?
Have you the appropriate security measures in place to protect your data?
- Password protection / encrypted passwords
- Back-up solutions
- Anti-virus and spam filtering software
- Firewalls / unified security gateways
- Managed security updates and patches
- Continuous monitoring
Give yourself plenty of time to review your data processing policies and working procedures prior to the GDPR taking effect. This should include your approach to internal data protection, HR and Finance policies, staff training and IT security.
Highlight any potential weaknesses in your information flow which could be the source of data breaches. Agree with your company’s decision makers on changes that need to be made or new systems that need to be implemented to drive your compliance.
Decide on the most effective means for implementing these measures which may include internal partners and/or external agencies. You should ensure all the key GDPR components you identified as pertinent to your business are embedded into the measures and policies you use.
A good way of establishing whether your processes are working is by testing them using real life scenarios. For example, follow the process you have in place should an individual submit a subject access request or if a client asks to have their personal data deleted. Would your systems help you to easily locate the data? Who will make decisions about deletion? Work through your processes and find out whether you can satisfactorily respond to these requests.
Once you achieve compliance, it doesn’t mean you will remain compliant. Set up regular audits of your data processing and working policies to ensure you continue working in line with GDPR requirements. In doing so, you will operate more efficiently and will be less likely to suffer data breaches which could have catastrophic effects on your business’s reputation and future trading.
The positive impact of the GDPR (at work and home)
The GDPR will inevitably have an impact on most businesses, large and small, who process personal data within their organisation. It will force businesses to become accountable by putting measures in place to manage and protect personal data. In doing so organisations will become far more transparent and organised in the way they operate.
Employees will also be less likely to fall victim to a data breach when adhering to the internal policies brought about by the GDPR thus safeguarding them from potential recourse.
Although the GDPR may seem frightening at first, don’t over complicate it. Approach things methodically using a step by step approach and map the flow of data through your organisation. Look upon it as a way of spring cleaning your office by formalising processes and cleansing your data.
Not only will GDPR be positive for businesses but it will protect the integrity of our personal lives including our children, family and friends. It should offer us greater peace of mind knowing that our personal data will not be used inadvertently by the organisations and retailers we approach and, therefore, will be less likely to fall into unscrupulous hands.
So the next time you question the need for the GDPR, take a moment to reflect on the positive impact it will have around the office and at home rather than the work it will generate and the inconvenience it will cause!
How we can help with your GDPR compliance
In summary, you as a business will need to understand or seek specialist advice on the regulatory aspects of GDPR such as data breaches, consent, individual rights etc as we don’t profess to be experts in this area. But as your IT partner, we can offer a range of services to help fulfil your IT compliance requirements from data mapping, penetration testing, business continuity planning, IT GDPR audits or simply providing advice on the technological solutions, software and training you need to keep your data protected. We can also put you in contact with the legal experts who specialise in GDPR should you need further assistance.
Premieredge can also play a key role in maintaining your compliance through regular support, IT reviews and the continuous monitoring of your systems and software.
If you would like to discuss any aspect of your current IT set up to help you on your GDPR journey, then just give us a call or email us at firstname.lastname@example.org.