By now, all businesses and individuals concerned will have heard about GDPR — the General Data Protection Regulation — and the possible implications involved in non-compliance with the legislation.
Having come into force in 2018, the legal framework for data protection across Europe has made organisations rethink and bolster their data protection strategies. And with businesses in the UK continuing to follow similar regulations post-Brexit, this trend is set to continue as drafting of updates rolls on.
So, what do businesses need to know about GDPR? As they have been finding out, it is a complicated piece of legislation, with a multitude of options that may or may not apply to them. Clearly a structured, formal approach is required.
Have you been caught unawares by GDPR? — Here’s how you can stay on the right side of regulations.
Don’t fall into the trap
The trap not to fall in to is to consider GDPR to be solely a legislative exercise and therefore assume, the effort to implement the changes should be run by the legal department.
GDPR requires a top-down approach with board level recognition and sponsorship. A compliance team should be formed that represents the whole of a company and all its major departments.
GDPR is wide ranging, and it is essential all areas of your business understand their responsibilities. Education and information are the key to success.
Board level executives must clearly understand their responsibilities, and staff must be made aware of any potential changes to working practices. Evolving regulations may, in many cases, require a change in attitude or company culture, and this may prove to be the hardest thing to achieve.
Assess the risk
Once you have your committee, a review of existing policy and procedures relating to data protection and how you handle data breaches should be undertaken.
If not recently completed, a risk assessment may be required to identify those areas of the business that will be impacted by GDPR and to identify the personal information that you hold.
Where the risk is deemed to be high, then a privacy impact assessment, often referred to as Data Protection Impact Assessment, will need to be completed and suitable steps taken to protect the data.
As is often the way with assessments of this type, what information a business thinks they hold and where it is stored, as opposed to what is actually held, are often very different things.
The €20m challenge — How to comply with GDPR and minimise business risks.
It also worth noting that the national supervisory body will be legally entitled to see the personal data that you hold, so it is important that you ensure you have accurate records of all personal data. And even though GDPR no longer applies to UK businesses, the Information Commissioner’s Office (ICO) remains the relevant authority nationally.
A fundamental step in complying with GDPR: understand what data you hold and what you must protect.
There are parallels with this approach that will be familiar to anyone who has completed a full PCI DSS assessment. There will be a lot of upfront work in the first year, leading up to the initial assessment, but the following years should require much less effort as processes are embedded and become part of standard business-as-usual procedures.
Consumer rights
The individual’s rights to request information remain. You must provide subject data in electronic format — rather than in the form of a letter — and the business needs to comply with the request within a month of the query being received.
If businesses store information on children, then GDPR includes additional controls and restrictions on the storage of such data. It is essential that a company identifies this information and fully understands its responsibilities.
If you are a public authority, or process significant amounts of personal data, then the organisation should appoint a data protection officer.
GDPR: The catalyst for a global digital transformation — As technology continues to rapidly evolve, it’s clear that the world at large is still trying to keep up.
The nature of GDPR and the potential implications of not complying with it means this will become an important and senior role within many organisations. However, given the expected demand for such personnel, recruiting a suitable candidate may not be a simple task.
Additional implications
Other areas, such as breach notifications and the potential fines that can be faced, have been widely reported and should not be underestimated either.
There is a lot to take in and further reading from sources such as the Information Commissioner’s Office (for UK businesses) and the European Commission for EU businesses.
Chris Leppard is cybersecurity lead at Capita Technology Solutions.
Related:
ChatGPT vs GDPR – what AI chatbots mean for data privacy — While OpenAI’s ChatGPT is taking the large language model space by storm, there is much to consider when it comes to data privacy.
Speed of the essence for data centre compliance — The larger your business, the more important it is to consider data centre compliance.
