Following four years of bureaucracy between the numerous bodies involved in passing European law, the General Data Protection Regulation (GDPR) was given final approval yesterday, finalising a complete overhaul of data protection rules for companies with data that is either stored in or passes through EU nations.
The new law, when it comes into force in 2018, will hold companies fully accountable for implementing technical and organisational measures as part of a comprehensive data governance policy.
New compliance requirements include a data protection officer, investment in new technologies, significantly more documentation and regular assessments. Companies will also be legally required to disclose personal data breaches within 72 hours.
Businesses that don’t do the work and are found to be in breach of the GDPR will face tough penalties, including fines of up to 4% of a company’s total global annual turnover. It’s safe to say this new regulation will have significant implications for companies of all sizes around the world.
Worryingly, many businesses have not even started to prepare for the new regulations. According to an Experian survey of UK companies that had experienced a data breach, if 20% experienced a similar breach in the next three years they would face fines totalling £20 billion.
As large firms have invested in increased cyber security in recent years, SMEs are increasingly seen as an easy target by hackers. The number of attacks against businesses with less than 250 employees has grown to 43% of the total, up from only 18% five years ago.
Here are eight things SMEs should address now to ensure they comply with new EU GDPR.
1. Establish clear policies and procedures
Businesses should be able to react in a timely manner, without undue delay and within 72 hours of any breach of data. Data subjects must also be notified without undue delay.
To achieve this, enhanced policies and procedures need to be established, and incident management processes and detection and response capabilities need to be enhanced to be able to properly manage any incidents.
In addition, the request to view documentation can be made at any time by the authorities so organisations will have to stay abreast of this admin.
2. Create a culture of accountability
To implement policies and procedures effectively, a culture of accountability should be created where processes and procedures are monitored and reviewed on an on-going basis, while training should be undertaken to ensure staff are aware of their responsibilities with regards to data protection.
3. Appoint a data protection officer
For companies with more than 250 employees and those that process significant amounts of personal or sensitive data, or track individuals as part of their service, appointing a data protection officer (DPO) will be a requirement.
For SMEs, however, it will be good practice to form a steering group to oversee all privacy activities, policies and procedures and ensure that the rules are enforced.
If you haven’t already done so, now is the time to empower your CIO with increased responsibility and influence within your organisation.
4. Implement your ‘right to be forgotten’ strategy
Users can request that their data is removed from records in certain circumstances, so consider early implementation of systems into marketing databases. This could save money in the long-term and avoid the problems associated with having to retrofit.
Consider now how you will remove data records from databases, CRM systems and spreadsheets. This should cover all means by which data is collected, included via the web, over the phone and by hard copy.
5. Review third-party contracts
Under the new regulations, any company or individual that processes data that your organisation collects will also be held responsible in the event of a breach.
You should consider reviewing all third-party contracts now to ensure your suppliers’ policies, procedures and facilities, in the case of physical data storage, are as watertight as your own with regards to data protection.
6. Take care in transferring data cross-border
Ensure there is a legitimate reason for transferring personal data to geographies and jurisdictions that are not recognised as having adequate data protection. This will include all countries outside of the 27 EU states covered by the data protection regulation.
Failure to comply with this could now result in fines of up to 4% of annual global turnover. Be aware that this includes all international data transfer across companies within the same group.
7. Ensure your subjects have given informed consent
Contrary to existing requirements, the burden of demonstrating that consent has been given by a subject will lie with the data controller, rather than the individual.
This consent needs to be “freely given, specific, informed and explicit” and must be provided by a statement or a clear affirmative action that effectively agrees to the processing of data.
Specifically, consent must be “explicit” for sensitive data. You should be aware that consent can be withdrawn at any time by the individual, highlighting the importance of the right to be forgotten.
8. Encrypt your data
This is the process of changing information in such a way to make it unreadable except by those holding the ‘key’. In the event of an attack, the encrypted data obtained by an attacker will be rendered useless as they do not have the key to unlock it. Historically, however, application development using encryption has been difficult to integrate.
New developments in cloud-based platforms – which wrap up the encryption of data with cloud services and incorporate keys that are strictly unavailable to anyone other than the user – protect all data stored and transmitted, and ensure compliance.
Sourced from Edward Adlard, head of digital strategy, Qredo