Europe’s decision to update and amend their data protection laws and Britain’s decision to leave the European Union came in quick succession. Changes to EU data protection laws were finalised at the end of April 2016 by way of the General Data Protection Regulation (GDPR), while the EU referendum was held shortly after on the 23rd of June. While the two were in no way related, understandably, questions have been raised on whether Britain’s impending departure from the EU will affect their stance on the GDPR—a European regulation not coming into effect until May 2018.
But the effects of Brexit won’t change the way UK organisations manage their data, as the GDPR is all about the data, not the company. One of the biggest changes the new EU data protection laws are introducing, is that any organisation will be liable if they handle data concerning individuals residing in the EU, (which is pretty much every company in the UK!) not whether the organisation itself is in the EU. Indeed, even monitoring the behaviour of an EU individual can make you accountable to the GDPR, meaning you need that person’s consent to collect and use information about them. With monitoring features like cookies now more or less ubiquitous across the internet, companies that offer a digital service like a web app, platform or website accessible by EU individuals must comply with the GDPR by 2018. So whether you’re located in Britain, Europe or anywhere else in the world, the GDPR will most likely effect you.
And fines for non-compliance are going to be larger than they’ve ever been. If data breaches remain as consistent as 2015, UK businesses could pay an accumulative total of £122 billion in 2018. So, while having over a year to prepare for the new regime may seem like ample time, the drastic changes to how you collect and use personal information will require a considerable adjustment period. As such, you need to ensure that your company will be compliant in terms of keeping data secure come May 2018.
Stricter regulations around all aspects of data security require a more holistic view of data management. The following are five key areas to data management that, when used in conjunction, give your organisation the tools and knowledge to comply with new EU data protection regulations.
A Subject Access Request means individuals are able to request visibility into all of the personal data your company holds about them. Ensuring your organisation can undertake these requests in a timely and efficient manner is crucial to avoiding penalties, and powerful indexing capabilities can help users find personal information fast.
The GDPR stipulates that an organisation must show it has considered and integrated data protection measures for all aspects of data processing and collection. This includes the training of staff, audits of data processing and document access, the correct storage of information and more. Your company needs to be sure it can demonstrate a high level of transparency when it comes to validating compliance.
If a data breach does occur, you must be able to report an account to the relevant authorities as soon as possible. Organisations therefore need to evaluate their ability to monitor breach activity, trigger any reporting procedures around compliance and know what to do in the event of a worst-case scenario.
At all times, it’s important to have an over-arching view and understanding of where your businesses personal data is being held. Building a data map of where information is stored, who can access it, how long it’s being retained for and where it’s being moved to are key elements to this understanding.
One of the main tenets of the GDPR is ‘data minimisation’—a means to reduce the amount of personal data a company stores to the bare minimum. This is done by only keeping personal data for an amount of time relative to its purpose. Retention policies automatically delete or archive information after a set date to help enforce this.
Knowledge is your most valuable asset
The aim of the GDPR is to ensure that organisations take data protection seriously, no matter where they are in the world. By focusing your approach on the above areas, you can achieve compliance in your organisation, accounting even for the regulation’s strictest guidelines. With the right technology at hand, both your users and customers are given a confident approach to governance; your company given the best opportunity at keeping in line with the GDPR and any future data regulations.
bluesource can ready your business for the GDPR, giving you a complete overview on your company’s current stance in terms of GDPR-compliance. With varying stages of assessment specific to your company needs and investment, you can ensure the highest level of visibility when it comes to identifying any areas of weakness.
The next step is investing in the best technology to fix them. Our partner Veritas’ 360 Data Management takes an all-round approach to your company’s data security, including the protection, availability and insight of your data to give you maximum control.
For more information about the GDPR and what you can do to assess the security situation of your company, contact us today.