GDPR: What should I be doing?
Julie Gingell & Emma Gross share how you can start preparing for the GDPR.
The new General Data Protection Regulation has drawn many alarmist headlines as we get closer to the launch date.
SA Law’s recent GDPR breakfast meeting at Croxley Park helped to bring some perspective to the situation, with a practical explanation and a clear roadmap towards compliance.
What is GDPR?
The General Data Protection Regulation is new legislation governing the way organisations collect, process and protect the personal information of individuals, be it customers, employees or business partners. It replaces the Data Protection Act from 25 May 2018, introducing new obligations for organisations, more rights for citizens, and harsher penalties for non-compliance. On a wider scale, it harmonises data protection laws across the EU and applies to anyone handling the personal data of EU individuals. Even with, this law will apply to all UK organisations.
Why is this happening?
Our modern era of Facebook, Google and other information-based services has turned personal information into a valuable commodity. Unfortunately, it is often used with little regard for the individual, which puts them at risk of crimes such as identity theft and harassment. As the Data Protection Act is 20 years old, GDPR is bringing the law up to date with the modern era.
Is the GDPR a significant change from current Data Protection laws?
Yes and no. Relatively speaking, the rules governing how you process information are not vastly different from the Data Protection Act, but the fine detail will affect some organisations more than others. Our 12-point outline of the key changes will help you to determine how it could affect you.
The major concern for organisations is the greatly increased fine for non-compliance, which rises from £500,000 to up to €20 million or 4% of your worldwide annual turnover, whichever is greater. If you suffer a data breach, then you may also need to pay compensation to individuals who have been affected. As a result, many articles have painted a picture of apocalyptic ruin for any organisation that fails to comply with the new law by 25 May 2018. In reality, we can expect a grace period in which any failings will be assessed against how much work the organisation has done to meet the requirements.
Two other key requirements to bear in mind are the need to report data breaches within 72 hours of their discovery, and the ‘right to be forgotten’. That means any requests to be removed from your database must be honoured by your customer-facing teams.
What should I be doing?
There are two objectives – policy and education. Your policies must change to reflect what your organisation needs to do, and your people need to be educated about their responsibilities. Although GDPR will primarily affect customer-facing teams, an organisation-wide approach is recommended as it minimises the risk of a mistake from another member of staff. In an age where corporate espionage is a day-to-day threat, this is an excellent opportunity to focus on the information security of your entire business.
As for the steps, the following presents a fairly standard roadmap towards GDPR compliance. The time it takes to implement will differ depending on the size of your company and what you do, but should be achievable by 25 May 2018 if planned and implemented effectively.
Assemble a compliance team:
As always, change programmes work best when driven from the top, and when embedded by champions across the organisation. Recruit the most appropriate senior leader as spokesperson and chair, and find key members of each department to help.
Gather information about how you use and store data:To determine what needs to be done, you must understand what you’re doing at the moment. Working with your stakeholders, initiate a fact-finding phase to determine the full nature of the personal information you hold. Ask key questions such as:
- How did you gather their personal information?
- How long have you held it for?
- Did every individual give their consent for you to use it, and for what purpose?
At the same time, understand how information flows around the business, and how employees actually handle it. For this, it can help to think of information in the cycle stages: usage, sharing and disposal.
Undertake a gap analysis:There are two gaps to consider here:
- Identify the gap between what your policies and procedures say now, and what they need to say to be compliant with GDPR.
- Identify the gap between the way your employees currently handle information, and the way they should be handling it. This exposes your education needs. SA Law’s Data Risk Register can help you analyse where your risk exposure is greatest.
Plan and implement:Naturally, the next stage is to prepare and deploy a plan for plugging the gaps. Start with policies and procedures, which need to be redrafted to reflect the new changes. The aim is to create a flexible Information Governance Framework (IGF) that meets compliance, yet enables you to deliver on short and long-term strategies.
You can also begin to deliver awareness and education activities that bring employees up to standard. Larger businesses will likely need a more formal internal communications change programme, while smaller businesses may only require a few informal training sessions.
You may also need to contact customers about the data you hold about them, particularly if you need to obtain their consent for using it, which must be asked for unambiguously, and freely given.
These GDPR preparation activities will likely require some degree of budget assigned to them, whether you need to create communications materials, take on consultancy assistance, update software, or simply need some sandwiches for a few ‘lunch and learn’ seminars.
Pilot:Ideally, try to deploy your new and improved information regime as of 1 January 2018, which gives you just over four months to get the whole business up to speed. During that time, it would help to run a few breach scenarios to make sure everything operates smoothly, from employees notifying you promptly, to your marketing function preparing customer awareness communications, to your PR team making preparations for fire-fighting negative publicity.
Stay ahead of the curve:The focus on GDPR is likely to increase as we get nearer to the date the legislation comes into force, so keep an eye on the media, particularly what others are doing to meet the requirements. Keep your plans flexible so you can respond quickly to developments and good ideas.
One final thing to bear in mind is your attitude towards GDPR. Many see it as a large stick with costly and potentially devastating impacts for organisations. This negative view won’t help you rally employees to the cause.
This is why many forward-thinking organisations are choosing a more positive attitude. In an age where and poor handling of the aftermath has weakened our confidence in how personal data is handled, GDPR represents an opportunity to ‘re-inspire’ customer trust. In effect, it has presented an opportunity for competitive differentiation that could help you pull away from the crowd.