Back when we first wrote about the GDPR last year, we still weren’t sure what effect Brexit would have on UK companies’ need to comply with the new legislation. However, we now know that – whatever the result of the UK’s Brexit negotiations – the GDPR will apply to UK businesses from 25th May 2018, which gives enterprises roughly a year to prepare for the changes.
If you’ve yet to begin, don’t panic; we’ve outlined 7 key steps to help you start your preparations, whether you’re a UK business or an overseas organization dealing with EU customers.
1. Start Now
It’s never a good idea to leave things to the last minute, especially when it comes to data security. The GDPR requires a new level of transparency that might take a little while to coordinate across all levels of your organization, as well as a review process that could well be lengthy.
You will need to make all employees, from the top down, aware of any changes and new responsibilities, as well as potentially implementing several system, documentation and policy changes. Make sure you allow yourself enough time and resources to get everything done by May 25th 2018.
2. Assign a Data Protection Officer
Under the new legislation, some organizations will be required to assign a Data Protection Officer but, even if this does not apply to you, it is a good idea to have one individual who is responsible for compliance across all sectors of your business to ensure you have a unified policy.
You can assign this responsibility to a current employee or hire an external adviser to take on the role. It is important to remember, however, that assigning a Data Protection Officer does not mean that person is responsible for data protection compliance entirely on their own. Security should be a company-wide policy that is understood and upheld by all; a DPO will merely be in charge of overseeing any necessary changes and helping to make sure all employees are aware of their responsibilities.
3. Know Your Business
The GDPR puts a much bigger focus on transparency and accountability than ever before, so it’s important that you know exactly how, when, where and why your organization or call center collects and stores data, in case you are asked by a customer to correct or remove their data, or in the event that the legality of your data processing is questioned.
A good way to start is to carry out a complete data map of your business, identifying where data comes in, where it goes, how it’s stored and how long it’s stored for. This will help you identify where the risks in your security lie and how to correct them. Make sure to document everything you find in order to comply with the GDPR’s accountability principle.
4. Review and Update Your Policies
These transparency and accountability principles also mean that you might need to review and/or update both your external and internal security policies. Internally, this might mean updating your policy to reflect the new systems or processes employees will need to use to ensure compliance, as well as making all relevant personnel aware of the changes.
Externally, you will now be required to provide your customers with more information about the data you collect and hold, explain your legal basis for collecting and holding it, and make customers aware of their new individual rights.
You will also need to prove that explicit consent was given for any data you collect and hold – including parental consent for collecting data from anyone aged under 13 – so you will need to be able to document and demonstrate this during your data collection process.
Once you have worked out how you will ensure compliance with each of these individual rights, you will need to update your public policies and privacy notices to reflect this.
5. Formulate a Comprehensive Data Breach Plan
If you’re compliant with the Data Protection Act (DPA) then you should already have a data breach plan as part of its best practice guidance, but the GDPR has new requirements for who to notify in the event of a breach, so you’ll need to make sure your plan is up to date.
For example, some organizations who were not required to report breaches to the Information Commissioner’s Office (ICO) in the past will now be legally required to do so for breaches of a certain risk level.
You will need to be able to be able to demonstrate that you can quickly detect, investigate and report any breaches, as well as having the capability to inform individuals if their data has been put at risk. Again, documenting all the information you hold will make this process much easier.
6. Get to Grips with Data Protection Impact Reports
While DPI reports used to be best practice, the GDPR will see them become a legal requirement whenever you implement any new systems or technology. Ensure your DPO knows how and when a report ought to be carried out as well as how to consult with the ICO on compliance if any report shows a high risk.
7. Know Who You Need to Report to
As well as knowing when you need to consult with the ICO, you will need to work out which data protection supervisory authority your organization reports to. If you work only in one country then this will be an easy matter, but international organizations may need to map operations to identify where the majority of their data processing takes place, and therefore, which authority they come under.
If you have any questions or concerns about the new EU General Data Protection Regulation (GDPR) and how your organization or contact center can ensure compliance, please get in touch with our data security experts today. We’re here to help.