Conversations about GDPR are growing increasingly heated in the tech space, as companies throughout the world scramble to prepare for the regulatory changes ahead. Unfortunately, according to some of the latest research from Veritas Technologies, most businesses simply aren’t doing enough. Although a third of the companies surveyed said they’re prepared for the Global Data Protection Regulation changes, only about 2% were found to be realistically GDPR compliant.
Though the GDPR transformation won’t officially go into effect until the 25th of May 2018, that doesn’t mean that you can be lax about your strategy for compliance. There’s a lot of work for some businesses to do before they’re ready for the impending regulation. Failure to comply with even a single factor in the new guidelines, and you could face a multi-million pound fine or the loss of 4% of your global revenue.
The only way to avoid business-shattering penalty fees is to start preparing now. That’s why I’ve put together this quick and simple GDPR survival guide to help you begin your transformation.
Your Intro to GDPR
Before I cover the key steps involved in GDPR compliance, here’s a quick refresher course on what the Global Data Protection Regulation changes should mean to you. The GDPR is intended to replace the current Data Protection Directive. The GDPR manages personal data that could be used to identify a person directly or indirectly, to ensure absolute security.
The broad nature of the GDPR means that almost every business operating within the UK or EU will need to revise their internal strategies for data usage and storage. For most, the new regulation will mean making changes to consent notifications, privacy notices, breach notifications and more. Modern businesses will need to notify individuals on exactly how long their data will be stored for, and whether it will be moved. Additionally, the GDPR outlines that all customers should be given access to their data, or may be able to delete stored information under specific conditions.
Given the huge amount of new regulations, there are to come to terms with, it’s important to make sure that you get a handle on updating your internal policies as quickly as possible. So, let’s get started.
Step 1: Make Sure Everyone Is On Board
By this point, most organisations should have already reached out to their internal departments to make sure that every team in the workforce understands how GDPR might impact their work processes. If you haven’t created an overall GDPR compliance plan for your business, then now’s the time to start.
Outline everything the unit heads in your company will need to do to make sure that compliance is achieved before GDPR arrives in the coming year. This might mean telling your teams to review their security controls, and access auditor expertise to identify any problems with their current systems.
Step 2: Learn About Partner Strategies
Importantly, it may not be enough for businesses to simply make sure that their internal teams are taking the right steps in GDPR compliance. You will also need to communicate with external partners and vendors to make sure that teams connected to your business are also protecting the data that they have access to from your company.
If you provide information to a vendor in the EU that isn’t GDPR compliant, regulators could track the problem back to you, and issue a fine for your lack of effort in taking comprehensive steps for data protection. When it comes to the GDPR, it’s better to be safe than sorry.
Step 3: Audit Your Existing Data
Once you’re sure that everyone in your team, internally and externally, is on the right track, you can begin to carry out a data audit. This will help you to identify what data you currently have access to, what you’re going to do with it, and whether you obtained any consent to store that data. Working with professional auditors might help in this area, or you can try using online checklists for compliance.
Once you know where the gaps in your security are, you’ll be able to start clearing out issues with plans that help you to get rid of any dangerous data, or access the appropriate consent for whatever information you might need to continue storing.
Step 4: Hire Your Data Protection Officer
To make sure that you keep your data organised under GDPR compliance standards, you’ll need to hire a DPO, or data protection officer. This will help you to ensure that your plan or strategy for GDPR success continues going smoothly all the way up to Spring 2018, and every year after. For some companies, hiring a data protection agency will be non-negotiable, as the GDPR requires any company that stores large amounts of EU citizen data to have a DPO.
Notably, you may already have a DPO in your team under a different title, such as a Director of Security. If this is the case, you’ll need to make sure that they’re fully equipped with a strategy for GDPR compliance.
Step 5: Get Consent
Gathering customer data will be an important aspect for business for many companies. However, if you plan on storing that data, or using it for anything that your customer hasn’t given explicit permission for, you’ll need to get clear consent. The GDPR dictates that all consent to use customer data must be written, or verbal and recorded.
You’ll need to be able to show when the consent was given, and how, so make sure that you have a solution in place for record keeping processes.
Step 6: Review your Data Security
If you want to make sure that you’re fully GDPR compliant, you’ll need to make sure that you know which people in your business have access to customer data and why. You might decide that you need to make access more restricted, and think about upgrading your online security.
Remember that data protection safeguards need to be built into services and products from the very beginning to help keep your company safe. If you have any concerns about the security of customer data, or the information you collect as a business, then work with an auditor or security professional to update your systems.
Avoiding Fines with GDPR
While the cost of having to implement new data protection and privacy solutions into your business might seem significant from a budgetary perspective, it’s worth noting that the potential costs of the fines that you would have to pay without GDPR compliance would be much greater. Although preparing for GDPR can seem quite daunting, it’s worth noting that the new compliance regulations aren’t necessarily bad news for organisations.
There are benefits to consider with GDPR. For instance, by reducing the risk of a data breach, you can lower your chances of being hit with fines for non-compliance, or struggle with damage to your reputation. At the same time, becoming GDPR compliant could reassure your customers and stakeholders of the security they can rely on when doing business with you – meaning that you end up with more loyal customers in the long-run.
Remember, no matter your feelings towards GDPR, compliance is necessary. Make sure that you have a clear plan in place for what needs to be done, and a timeline to follow that ensures you’re ready before May 25th.
If you have GDPR experience add your comments below.