With 6 months until GDPR becomes enforceable, time is running short to make the appropriate preparations to be fully compliant with the regulation.
It could not be timelier that 6 months away from the enforcement of GDPR a major data protection breach is discovered in a very visible company.
The recent discovery that Uber was subject to a major breach of security highlights the importance of the new legislation. The media are reporting that Uber discovered a data breach affecting up to 57 million customers but failed to disclose this to regulators or the individuals affected for over a year.
As GDPR comes into force, a fine to address circumstances like this could be up to 4% of global annual turnover. This is significant to any firm.
GDPR and Brexit
The GDPR will be enforceable from the 25th of May 2018 and will not be affected by Brexit. It’s important to remember that there are multiple reasons for this:
- GDPR will need to be implemented globally for all organisations storing data on individuals that are resident in the EU.
- The UK will still be an EU member state by the time GDPR becomes enforceable on the 25th May 2018.
- The data protection bill recently proposed to the UK government fully supports the GDPR regulation and also includes additional legal protections for individuals. It is effectively the implementation of GDPR in the UK.
Are you ready?
By looking at the following questions this may give you a sense of whether you have much work to do to get ready for the GDPR:
- Do you know where data on individuals is held in your organisation?
- You must be able to identify where you hold personal identifiable information for residents in the EU. You must know which systems it is held in and the locations it is stored physically. This could be any individuals including customers and employees.
- Do you know the processes that the data is used for?
- Organisations must be able to tell customers, upon request, what their information is used for.
- Would you be able to delete data for specific individuals if asked and would your processes still work?
- Processes may need to operate following the removal of data about specific individuals. This could break a key assumption for the process that it includes all previous and existing customers. Will the process continue to work? What adjustments do you need to make?
- Do you know how old the data is and whether it is up to date and accurate?
- The GDPR states that data should only be held for a reasonable amount of time appropriate for the use it is stored for. This effectively adds a shelf life to the data held and organisations can no longer assume that they can keep this data ad infinitum.
- Do you know if you have explicit consent from individuals to keep that data? (Not just obtained through a default ticked box on your website.)
- The permission granted from individuals to store data must be obtained explicitly. Any data held where this is not the case may mean you need to recertify. Potentially to your entire customer base.
- Do you know if you send your data externally to vendors and what they are using the data for?
- GDPR extends to data shared with vendors and is your responsibility. You need to know what the data is used for and ensure it is removed if requested.
- Is data you hold safe from cyber-attack?
- Appropriate measures must be in place in your organisation to protect individuals’ data from cyberattack.
- You also need to ensure that, if a breach were to occur then this would be detected and you could inform the individuals affected, and the regulator, within 72 hours.
- Do you know what you would do if the data were to be lost or stolen?
- The manner in which you handle a data breach could have a serious impact on the amount of reputation damage incurred by the organisation. Preparation is key to minimising the impact, especially given how quickly disclosure to regulators and affected individuals should occur.
- Have your staff been trained?
- Training will be key for your staff to know how to stay compliant with the regulation and to know what to do in the event of a breach.
If you need any help with any of the above questions or would like to know more about the GDPR, how it will affect your business or the ways in which New Link Consulting can help then please contact us through our website. www.New-LinkConsulting.com/Contact