In 2016, following three years of discussion and debate, the European Union came to a decision on a new data protection framework. The General Data Protection Regulation (GDPR) will be coming into effect in May 2018 and will replace many of the current national data laws and regulations in place in EU member states. With the new regulation comes a wider territorial reach in terms of companies that may come under the law’s jurisdiction, and harsher monetary fines for anyone—business or individual—found to be non-compliant.
The GDPR is looming large for UK organisations, which suffered the second-highest number of reported data breaches across the globe in 2016. The new regulation enforces more severe penalties for non-compliance compared to the current UK Data Protection Act (DPA)—fines can reach up to €20 million (or 4% of global annual turnover if that value is greater) rather than the current £500,000 maximum.
It goes without saying, then, that you need to be fully aware of the GDPR’s implications and how they will affect your organisation. To do so, your first step should be assessing the current state of your organisation’s security.
A disparity between awareness and action
With just over a year to go, much is being done to raise awareness of the GDPR. But too many organisations still aren’t sufficiently educated on the details. As of last year:
- A Dell survey found that 80% of respondents knew little to nothing about the GDPR; 87% said their respective companies did not have any plan to implement the new rules.
- Only 2% of more than 15,000 enterprise cloud applications are GDPR-ready.
That was in 2016, and since then more companies have of course started making changes to comply with the GDPR. But many remain unprepared. In 2017, just under half (48%) of businesses admit they are still not ready for the new data regulations.
So, what can you do? First of all, businesses need to make sure that everyone who processes or controls data within the organisation is aware of the upcoming changes. And most importantly, they need to appreciate and understand the impact it will have on the company. As a preliminary check, all individuals in your business should be able to answer the following questions:
- Do you know the format and location of all your data?
- Do you know who has access to your data?
- Do you have a dedicated data owner?
- Do you know your data protection responsibilities?
If the answer to any of the above is no—or even if you cannot definitively say ‘yes’—then you are currently non-compliant with the GDPR.
Knowledge is your most valuable asset
Companies should look towards privacy impact assessments (PIAs) to identify, understand and address any issues that might arise when developing new products and services or undertaking any other new activities that involve the processing of personal data (which under the GDPR will leave more individuals liable than ever).
In the UK, the Data Protection Act (DPA) does not oblige organisations to conduct privacy impact assessments, but the impending changes means assessments like PIAs can put your company in a better position to comply with the GDPR when it is introduced.
Assess and retain
By conducting an assessment, any issues can be flagged and addressed that otherwise may have been missed. You give your company the means and time to change the way data is processed and personal data is handled in order to reduce or manage any risks to privacy.
Document retention, for example, is one area that should be scrutinised during an assessment. Ensuring that any personal data is disposed of when no longer needed will greatly reduce the risk that it will become out of date, irrelevant or inaccurate. Your business needs to consider the purpose for which you are holding information; out of date information should be updated while data that is no longer needed should be securely archived or deleted.
Of course, all businesses must acknowledge there is no absolute guarantee of protection from data breaches. But organisations that are able to show they have assessed the risks of processing personal data and have made an effort to mitigate these risks will be better placed to avoid the most stringent fines.
Time to act
The GDPR will require many companies to undertake a privacy impact assessment by law. But you shouldn’t wait until next year to do so. By assessing your organisation’s security stance ahead of time, you will have ample time to do everything you can to make your company as secure as possible.
At bluesource, we specialise in governance and compliance assessments to help get companies of all shapes and sizes not just ready for the GDPR, but stay compliant well into the future. If you want to ensure your company’s data security is up to scratch come May 2018, talk to us today to see how we can help you.