Exactly one year from today, on 25th May 2018, General Data Protection Regulation (GDPR) will come into force. The replacement for the 1995 Data Protection Directive, GDPR introduces a range of new obligations that businesses will need to meet in order to demonstrate compliance.
Although a year might seem like a long time, implementing some of the requirements of the legislation will prove particularly time-consuming, and so organisations need to act now to safeguard their future. The need to act now is further emphasised by the substantial fines that will be levied against companies that fail to demonstrate compliance in the wake of a data breach – up to €20M or 4% of global revenue, depending on which is greater.
Who will be affected?
GDPR is designed to increase the privacy of individuals and protect their personal data. To achieve this goal, it introduces much stricter data protection rules for companies operating in the EU. The legislation affects any organisation that processes personal data, regardless of their size, turnover or the amount of data held. Smaller businesses should not make the mistake of thinking that GDPR will not affect them, as SMEs are expected to manage their data flows and processes to the same extent as larger companies. Ultimately, as the vast majority of Irish organisations have some form of personal data about their customers or employees on file, almost every organisation will be subject to the new law.
What are the next steps?
To prepare themselves for GDPR there are a number of steps that organisations need to take. First and foremost, awareness of the new legislation should be raised internally, to ensure that all employees are conscious of GDPR. This will be extremely beneficial when it comes to maintaining compliance, as it will reduce the likelihood of shadow IT practices, i.e. employees using unauthorised programs that could lead to a breach.
Once awareness of the change in legislation has been raised, companies need to embark on a structured journey towards achieving compliance by taking the following steps:
Data review and audit - Organisations must review data in their possession to establish why they have it, where it is stored, how it is processed and who can access it. This will help companies to establish a comprehensive data inventory and ensure greater transparency and control going forward.
Review internal processes - Following the initial data review businesses should review their privacy notices and data collection processes to ensure they cover all the rights an individual has, especially around consent to collect and hold their data.
Adopt and ensure Privacy by Design - Under GDPR, companies must ensure that data protection becomes a key component of their internal processes. This approach should be a key consideration throughout the lifecycle of any product or service in a company’s portfolio, to ensure the complete and ongoing security of personal data.
Appoint a Data Protection Officer - GDPR will introduce an obligation for companies that meet certain criteria to appoint a Data Protection Officer (DPO) to take responsibility for ongoing data compliance and protection. However, the scope of GDPR means that appointing a DPO is something that all organisations should consider.
Secure your data - Finally, organisations should implement systems to protect their data from a security breach. At this point it is worth working closely with an experienced information security provider that can guide you through the complex process of achieving GDPR compliance.
Cyber Security as a Service
As cyber-threats continue to evolve in complexity, many companies find themselves without the required skillsets to adequately protect their interests. The changing threat landscape requires specialist expertise and a multi-layered approach to effectively defend against threats and allow businesses to thrive.
Novi has over 15 years’ experience of providing Irish organisations with reliable, high performance and cost effective security as a managed service. We specialise in helping businesses with ongoing IT issues, and our proactive service model reduces unplanned system outages by 87%.
The introduction of GDPR will have a profound effect on any Irish organisation involved in the processing of personal data. Companies that act now will safeguard their future, while those that fail to act will leave themselves open to huge fines that could cripple their business.
Contact us today to find out more about how Novi’s team of security experts can help you get GDPR-ready.