As you now know, the UK public voted out in the EU referendum - it is a significant event in UK politics and perhaps the most important vote many of us will ever make. However, it has left many UK businesses facing uncertainty, especially in terms of EU legislation compliance. While a leave vote may make certain laws irrelevant, other regulations governing international relations will still be very much applicable.
In 2018 the new General Data Protection Regulation (GDPR) comes into force, designed to harmonise data protection laws across the EU. Even after we have left, GDPR will still apply to businesses that trade with any member states - so global organisations need to be aware of key factors to ensure compliance.
Awareness of GDPR is significantly lower in the UK than in other countries. According to a survey by Trend Micro 87% of IT decision-makers in Germany are planning for GDPR compared with only 50% of UK IT decision-makers. This means that many UK businesses could be on the back foot when legislation comes in, needing to make significant changes to the way they handle data to ensure best practice.
Get Ready For GDPR!
If you haven’t started preparing your business for GDPR, it’s not too late. 2018 may be the date GDPR becomes law, however there will be a two-year adoption period after which it becomes enforceable across the EU by data protection authorities and the courts. Non-compliance will result in sanctions using a tiered fine structure.
For example, a company can be fined up to 2% of their global revenue for minor infringements including not keeping records in order or not notifying the supervising authority and data subject about a breach. For more serious infringements, such as violations of basic principles of data protection, organisations can be fined up to 4% of global revenue.
These fines are significantly higher than those sanctions currently handed out by the UK’s Information Commissioners Office, and alongside other costs associated with the fallout of a data breach could seriously affect an organisation’s profitability and business.
So what does your company need to do to ensure compliance?
Step 1: Get Documentation in Order
Data protection authorities must be able to review privacy policies, procedures and documentation at any time: get them in order and keep them up-to-date. ISO 27001 is a great place to start for helping you achieve compliance.
Step 2: Appoint a Data Protection Officer
If your organisation has over 250 employees or if the core activities of your company involve ‘systematic monitoring of data subjects on a larger scale”, or large-scale processing of 'special categories' of data – you must appoint a Data Protection Officer (DPO). There will be an increase in demand for this role as the deadline nears, so look to begin your recruitment process as soon as possible.
Step 3: Form a Governance Group
Regardless of whether you need to appoint a DPO or not, you should also form a governance group (led by your DPO or a senior executive) to oversee all data privacy activities and measure results.
Step 4: Put ‘Right to Be Forgotten’ Procedures in Place
A significant factor of GDPR is the ‘right to be forgotten’ allowing any individual to request that their data and personal information is erased from an organisations’ records. Your organisation will need to develop a strategy for data classification, retention, collection, destruction, storage, and search, including all channels that data is collected by. Remember, you must be able to provide evidence at any time that records are actually being erased when requested.
Step 5: Design a Breach Notification Procedure
A data breach (that results in risk to an individual’s data) must be reported to the supervisory authority within 72 hours of discovery. This may mean improving data breach detection systems, as well as your response and incident management processes.
Step 6: Promote a Culture of Data Protection
Data breaches are often insider jobs, whether through human error or malicious intent. Awareness, training, robust privacy policies and stronger privacy controls will all help your organisation comply with these new data protection laws.
Our enterprise data security and threat intelligence solutions can also help organisations comply with GDPR. Whether you’re looking for an audit of your current services to see what work needs to be done, or whether you know exactly what solution you need, get in touch – we would love to discuss how we can partner with your business.
Say hello at email@example.com or give us a call on +44 (0)207 605 7890.