The Data Protection Act has been in force for more than two decades now and should be an integral part of any organisation’s approach to dealing with data held in core systems, PCs and mobile devices. With the introduction of the European Union General Data Protection Regulation (GDPR) in May 2018, the rights of the individual (the data subject) and the responsibilities of your organisation to process data ethically and protect it with all practical measures has greatly increased. Failure to protect it can have significant financial impact with fines up to 4% of annual global revenue or €20,000,000, whichever is higher. In some cases, the cost to your brand could be significantly more.
Whilst probably no SME or larger organisation is perfect, the less prepared or poorly protected you are, undoubtedly the harsher the response you will receive from the UK Data Protection Authority (the ICO for the UK). This is emphasised within the State of the art article (SOTA) within the directive which encourages organisations to implement appropriate technology solutions and develop good processes so that they always protect personal data in the best possible way.
This cuts across all elements of your technology ranging from system security (including data access rights and compartmentalisation), infrastructure (such as firewall protection and device encryption), the appropriate processes controlling the use of the data and finally, what staff and suppliers have access to the data.
Furthermore, add in the complexity of data subjects possibly requesting data portability, the right to be forgotten, the management of your third parties with access to the data and the movement or access of the data across geographical boundaries, the task of managing personal data has become far more complicated and time consuming.
Every organisation will have a different set of actions to undertake but the broad steps should be the same.
- A discovery audit and documentation of existing uses, systems and appropriate infrastructure
- Creation of a roadmap for change and data owner / processor responsibilities
- Implementation of remedial work to meet the new requirements
- Creation and implementation of appropriate Policies and Procedures
- Train you staff to understand GDPR and their duty of care to personal data
- Build the requirements into your business as usual operation
With our consultants EU General Data Protection Regulation Practitioner qualified, we can work with you to assess the implications of GDPR on your business and then help you create and implement a sustainable plan to achieve and maintain compliance.