We’ve all heard by now – GDPR less than 4 months away. A lot has been written on the topic, but the majority is very uninformative and boring; much of it makes you feel as though GDPR is impossible to tackle.
We’ve read a lot of GDPR literature recently, including a 75 page ‘Pocket Guide to GDPR’ (some people must have huge pockets!). This blog sets out to answer a bunch of GDPR questions and, most importantly, actually help!
WHAT IS GDPR AND WHY DO WE NEED IT?
GDPR (the General Data Protection Regulation) will replace the current Data Protection Act 1998 on the 31st May 2018. In 1998, when the current legislation was written, the world was a very different place; Windows 98 was the latest platform and 3G had only just been invented. We were without Twitter, Facebook, LinkedIn, and YouTube, and there were no USB sticks, Cloud storage, or Fibre Optic Broadband. Our day to day data usage, by both consumers and businesses, has changed beyond recognition. When you think about it, the current Data Protection Act is in desperate need of an update; an update that will bring it in line with the lives we lead now.
WHAT DOES BREXIT MEAN FOR GDPR?
Because Article 50 has been triggered, many companies now think that they no longer need to comply with GDPR as it’s European legislation. As many as 1 in 4 UK companies think GDPR no longer applies to them because we’re leaving the EU. This is false information.
Companies the world over will need to comply with GDPR regardless of geographical location. GDPR affects any company that collects and/or handles data on European citizens. So, if you’re a business in Canada that trades with a company in the EU, you would need to be GDPR compliant because you would be collecting and handling data about EU citizens. This legislation affects far more than just EU companies.
HOW TO PREPARE FOR GDPR
- Be proactive
- A proactive approach is essential for effective data security. The majority of organisations don’t know exactly how their data is processed, where their data is stored, and whether the people accessing it are following company policy. Auditing this process will allow you to understand your data better, and also see where there might need to be improvements. The audit should allow you to:
- Understand what measures your organisation has in place to protect its data, particularly personally identifiable information. This is a great opportunity to do penetration testing to see whether unauthorised access to data is possible.
- Understand your relationship to third-parties. Who are you sharing data with? How do third-parties collect data from you? You will need to make sure that your supply chain is GDPR compliant – it’s your responsibility to ensure this. It might also be worth liaising with third-parties to understand how they secure their (or your) data, sharing best practice.
- Review your end-user agreements to ensure that everyone has willingly agreed.
- Ensure that how you say you use data, is actually how you use it. Don’t be afraid to bring in an expert to advise you on this; an outside opinion can be very helpful.
- Find out whether your current data storage solution has any risks associated with it. If so, you should keep track of them and ensure that they can be dealt with.
- Eradicate risks
- Continual compliance of GDPR requires you to eradicate risks to your data. Data is so important to companies, and the vast majority can be accessed through the internet, making it highly traceable. We’ve witnessed the tremendous impact of data breaches on companies – loss of reputation, loss of customers and their trust, loss of money etc. GDPR puts the onus on companies far more for their data protection than the Data Protection Act 1998 did. It’s vital that you:
- Continuously monitor your data; you don’t want data to take an unauthorised walk out the front door!
- Classify your data so that you know who is meant to access it and who isn’t, and how they do so.
- Encrypt your databases. This may seem obvious, but we’re continually surprised by the amount of companies that don’t have encryption. Encryption means that even if someone does steal your data, it’s rendered useless as it can’t be read.
- A challenge – but also an opportunity
- GDPR may feel impossible at the moment but breaking it down into bitesize pieces will help. It might be an intimidating piece of legislation, but GDPR also provides a great opportunity for businesses to redefine their customer relationships and earn customers’ trust by handling their data in a completely secure manner.
- If you haven’t already, the time to start the GDPR process is now. There is no quick GDPR fix; it takes time and effort. Those companies that don’t comply will not just falter, it’s likely they’ll be permanently affected. The opportunity to become a leader in data protection is there, so grab it!