The new EU general data protection regulation (GDPR) comes in to effect in May 2018 and represents the most radical change in data protection legislation in the last 20 years. GDPR has been developed to reflect the changing use of data in the digital world in which we now live, and is designed to enable citizens to benefit from modern digital services, whilst providing sound, well formulated and properly enforced data protection safeguards to help mitigate risks and inspire public confidence in how their information is handled by businesses, third parties, the state and public service providers.
Failure to comply will have potentially catastrophic implications for companies, for two reasons:
1. For any breach, the UK regulator, the ICO, will be able to levy fines of up to €20 million or 4% of your annual turnover, whichever is the higher.
2. Breaches have to be notified to the data protection authority and in some cases the consumers affected, without delay. This leaves the firm concerned highly exposed to brand damage and potential customer pay outs.
Whilst regulated firms already have onerous industry compliance responsibilities to meet in relation to data protection, many may still need to broaden their security measures and precautions in order to meet GDPR, as well as ensuring that they have in place the necessary written SOP’s and can provide documentary evidence to demonstrate compliance.
So what do regulated firms need to be doing to prepare for GDPR?
Well this is a big question and one I will be exploring in more detail in coming blogs, but to give you a flavour, the type of things you should be considering include:
1. Identify what personal data you are holding. Bear in mind personal data can be as simple as an individual’s name or email address. This is vital because you need to be able to demonstrate that you are protecting this data and using it appropriately. So understanding what you have and where it is forms the first step towards compliance.
2. Identify threats to this data. This could include things like cybercrime, accidental loss by employees, deliberate theft by employees, industrial espionage, lost devices and unauthorised access to data. This is vital if firms are to avoid the substantial fines that can be levied for unauthorised access to, or disclosure of, personal information.
3. Invest in and implement the right technologies and business processes to deal with insider and external threats to data. This will involve a wide raft of technologies to provide protection from a range of different threats, coupled with effective, documented business processes. This is very important if you are to avoid data breaches and hence the crippling fines and reputational damage that would be brought about by this.
4. Put together a new or updated data protection policy and train employees on it. This is important as everyone in your organisation needs to understand their obligations under GDPR and how to make themselves fully compliant.
5. Put in place processes for ongoing education for all members of staff around cyber security and data protection. Because the cyber security landscape is constantly changing, it is very important that employees are constantly kept up-to-date with best practice around security and data protection
6. Create a breach notification plan. This is important because if the worst should happen, and you do experience a data breach under GDPR, you need to have a clear plan to deal with it and communicate it as smoothly and accurately as possible, and with the least possible damage to your firm.
Over coming blogs, I will be exploring in more depth some of the key issues around GDPR compliance for regulated firms. In the meantime, if you are concerned about your firm’s GDPR compliance position, please do not hesitate to contact me for a no obligation conference call.
