After all the debates, it has officially been confirmed that the UK will have to adhere to the European General Data Protection Regulation (EU GDPR) when it is officially implemented in 2018.
While the regulation underwent four years of negotiating before being signed into effect in April of this year, it would seem that UK organisations were, and are still unprepared.
It is hard to know whether this is down to the distant hope that the Brexit would alter the applicability of the laws, or that people have simply neglected to put processes into place. Or perhaps it’s a result of the fact that information is scarce and people genuinely are unaware of the regulations, Whatever the reason, the reality of the situation is that time is running out to get up to speed.
>See also: Is GDPR still a threat to post-Brexit data protection?
So what can you do now to ensure that you’re on the right side of the 260-page regulatory reform come 2018?
Discover your data
With only just less than 18 months until the regulation is rolled out across the EU, the first crucial step is to map not only where your data is currently being stored, but also what types of data you hold.
Undergoing a comprehensive data audit will help you ascertain which pieces of information need to be protected under the new regulations, and which fall outside its remit.
Assemble your EU GDPR team
The EU GDPR is complicated. It will require experts from across the organisation to come together and decide best practice for a particular company.
This team might also include third parties, such as security providers or cloud companies that are tasked with protecting and storing customer data. But most crucially, you will need a data privacy officer (DPO).
>See also: Change is coming: the GDPR storm
A DPO can advise on the processes that need to be in place to ensure current privacy policies are either sufficient to match the requirements of the EU GDPR or how to bring the policies up to date with the regulations.
Become an expert in security ‘language’
If you’re going to be able to operate effectively once the EU GDPR is fully implemented, you need to understand the basics when it comes to data protection lingo. And this knowledge must be extended to all staff, including new recruits.
For example, people need to know the difference between pseudonymisation and anonymisation, and what it means when someone refers to the ‘right to erasure’.
Look beyond your borders
Do you have operations overseas, for example, in the US or Australia that collect information about EU citizens?
Don’t be fooled into thinking this data is outside the remit of the EU GDPR. Any organisation that collects data about European citizens falls under the new regulations.
Create a crisis plan
With data breach mitigation becoming more and more difficult, you need to ensure that you have a plan in place to deal with the loss of customer data.
It’s now a case of when not if a company will be breached – with the regulations stipulating a 72-hour notice period for reporting a security breach to the relevant Data Protection Authority (DPA), you need to be able to react swiftly.
Make your position known
Not only are the regulations complicated, they are still a fairly unknown entity. Once your strategy is determined, you need to reassure the public as well as internal stakeholders.
>See also: GDPR: The catalyst for a global digital transformation
It’s important to keep a clear channel communication open about how you are preparing for the GDPR and how people can expect to see their data being handled. This will ensure the company is positioned as capable of operating in the single market for EU data.
The clock is ticking
As the reality sets in and the magnitude of the situation hits home – Tesco reportedly would have been fined £1.94 billion as a result of its recent banking data breach, had the EU GDPR been in place – companies can no longer afford to sit on their hands.
To avoid the staggering fines of €20 million or 4% of annual turnover, you need to get prepared… right now.
Sourced by Tim Critchley, CEO, Semafone
