5 December 2017
Are you GDPR ready?
The GDPR – or General Data Protection Regulation (EU) 2016/679 – will be enforced in less than six months, from 25th May 2018.
It will significantly change the way organisations handle data collection and cyber security.
It applies to any organisation operating with EU data or within the EU – including the UK even after Brexit. It defines ‘personal data’ as any information that can be used to identify an individual. It makes ‘controllers’ (the ultimate holders) and ‘processors’ of data equally liable for its privacy. It contains new rights for people on accessing information held about them, plus obligations for organisations on gaining consent for use and for more secure data management, including breach notification. Failure to comply could lead to fines of up to €20m or 4% of your total (global) annual turnover … plus, a potentially disastrous effect on your organisation’s reputation.
So, are you prepared? Here are 10 questions to ask yourself to help ensure your organisation is GDPR ready.
1. Have you mapped your organisation’s personal data flows?
To comply with the new data regulations, you first need to know what data you hold. Have you mapped where your data comes from, where it’s stored, how it’s used and who you share it with? Only when you’re clear about this, can you begin to shape how you’re going to comply.
2. Have you gained consent to use data?
Gaining consent to use a customer or client’s data is a key consideration. You are now required to offer ‘accurate and full information’ on exactly how the data will be used, and make it ‘as easy to withdraw consent as to give it’. You may need to verify an individual’s age, as children cannot give consent. There must always be an unambiguous opt-in, so you can no longer make a service conditional on consent. Refresh existing consents now if they don’t meet the GDPR standard.
3. Have you reviewed your privacy processes?
To ensure compliance you need to review your organisation’s privacy processes to bring them into line with what is required by the GDPR. You are fully accountable for how data is handled. You must be able to demonstrate that you are complying with GDPR requirements, have clear data protection policies and, in many cases, conduct data protection impact assessments.
4. Should you appoint a Data Protection Officer?
If you handle a lot of data, particularly ‘sensitive’ data (health records, etc.), you are likely to be required to appoint a Data Protection Officer. Whether or not you have a DPO, you will need to keep full records of the ‘lawful basis’ on which your data is processed.
5. Are your third-party processors compliant?
If you use third-party processors, it’s important to make sure they are compliant too.
6. Do you have a GDPR training programme?
It’s essential for everyone within your organisation – whatever their level – to understand the significance of GDPR and the importance of protecting personal data.
7. Are you ready for data access requests?
Individuals will start exercising their new rights. You are required to give them access to their data for free, and within a stricter time limit of one month. In some circumstances, people will also have the right to have their data erased or changed.
8. Do you have a breach management system?
You will need to assess your cyber security – both for user error and external attack. Do you have the right procedures to detect, report and investigate data breaches? You have only 72 hours from the time you discover a breach to report it to the Information Commissioner’s Office. The individuals the breach impacts must also be told.
9. Do you transfer data outside the EU?
There are significant constraints on ‘exporting’ data outside the EU. Establishing an inventory will help you negotiate the minefield across jurisdictions.
10. Have you identified your lead regulators?
If you trade across borders inside the EU, you may appoint one lead supervisory authority, who will have primary responsibility for your processing of data. If you trade solely within the UK with no cross-border element, you will be subject to the Information Commissioner’s Office.
Following these steps should help you to align your organisation with the new legislation. What is important to remember is that GDPR is already law. While it will not be enforced till May 2018, this is the implementation period and ideally you should be conforming to the new rules as soon as possible.
Richard Grainger, Centor’s Broking Director, commented: “This complex step change in the rules governing data protection will be challenging for all organisations, whatever their size. The 25th May deadline is not that far away. Centor is ready to help with both professional advice and insurance protection.”