There’s just a year to go before the General Data Protection Regulation (GDPR) becomes fully enforceable. Are you ready?
Compliance with the GDPR has become a major priority for SMBs since the European Union (EU) parliament finally agreed to use it as the replacement for the existing data protection directive. The new regulation harmonises data protection laws for consumers in the EU and applies to all businesses that collect data from them, regardless of where those businesses are located.
You can read a summary of the GDPR and what it means for SMBs here.
In this article, we’ll show you four effective ways to prepare your business for the GDPR. With fines for noncompliance reaching as €20 million (or four per cent of annual turnover) you simply cannot afford to be complacent. Nor can you assume that Brexit means no GDPR – current government announcements suggest that it will be carried into British law even after the UK leaves the EU, according to Eversheds, a law firm.
The GDPR comes into force on 25 May 2018 so this is the time to be proactive and start taking steps to get your business ready:
Achieving GDPR compliance isn’t a job for one person. You need a team of people who can help you plan, implement and be accountable for your compliance efforts. The size of this team will depend on the size of your business, but consider engaging:
The important thing here is that you have a dedicated team who can drive, document and be accountable for compliance. Under the GDPR, accountability and proof of compliance are essential for every business; don’t skip this crucial step.
Compliance with the previous data protection directive does not automatically mean that you’re compliant with the GDPR. This is why it’s important to review your current security setup, your IT security policy and other data handling policies and procedures.
This is a process of discovery. The goal is to gather enough information to give you a clear understanding of how your business currently collects, uses and stores personal data. Here are some questions you can ask yourself to get the process started:
Be aware that the GDPR gives consumers the right to ask companies to share and/or erase their personal data upon request. This is why you need to know what kind of data you hold, and you need to be confident in your ability to trace, disclose and erase it as requested. Take the time to review your current data handling and IT security procedures, and enlist an IT partner to help you in the process.
The GDPR is all about privacy by design. What does this mean? It means embedding privacy protections into every aspect of your business and your interactions with customers, and it extends to all your products, services and processes. It’s about building privacy controls into everything you do, rather than tacking them on as an afterthought.
Under the GDPR, businesses have 72 hours to inform customers about data breaches that have compromised their personal information.
That’s a tight timeline to work with, and the last thing you want to be doing in the wake of a data breach is risking non-compliance by failing to notify customers. This is where a breach notification plan becomes useful.
Your data breach notification plan doesn’t have to be complicated. All it needs to do is:
Consider putting together some draft breach notification letters or emails that you can send to customers, regulators and other authorities. Careful planning of this kind will save your skin in those crucial 72 hours following a breach because it will enable you to focus on other important things, like mitigating the breach and preventing additional data loss, instead of scrambling to write notifications!
May 2018 seems like a long way off, but it’s not. You need to start preparing your business for the GDPR today.
These four things are just some of the actions you can take to prepare your business for the GDPR. In reality, this is just of the tip of the iceberg; there is so much more you can and should do.
If you’re not sure where to start, review the GDPR and get an IT partner to help you understand and implement the controls and processes you need to achieve compliance. Remember: achieving GDPR compliance is not one person’s job. It’s always easier to get by with a little help from your friends.