GDPR will mean that companies / organisations like yours will need to take a fresh look at how they deal with personal data in all aspects of operations, and what business relationships they have with 3rd parties.
GDPR requires privacy by default. Each EU citizen and person living in the UK will have the right to expect that data about them is stored securely and those storing the data e.g. companies / organisations, must be able to demonstrate compliance.
Hardly any data will not fall under GDPR which means you will need to take GDPR seriously and become very familiar with it and its implications. GDPR also means that:
Your company will need to be clear about getting consent to use a person’s data for just the specified purpose and not regard silence or inactivity as consent.
You may need to prepare to select a DPO for appointment, and your company may require a lot of training so that everyone understands basic compliance. This could mean that the kind of human error that could cause a data breach is minimised.
Your data security policies may need to be changed and the changes promoted across the company. You will also have to develop highly effective systems for monitoring for any data breaches. There will also be the need to design compliance into all data handling and processing systems, and could mean starting the analysis and thought process now to ensure that you are ready for 25th May 2018.
You will have to develop effective systems that ensure fresh consent is gained before you alter the way you use data, and that all data on a subject can be easily and quickly deleted on request.
Extra staff training will be needed. All staff need to be given training about GDPR and how it applies to their work and the business / organisation, preferably at the induction stage. Records of that training must also be kept. GDPR training should also be repeated on a regular basis, and employee acknowledgement that the training has been received needs to be kept in order to show that the company / organisation is making the effort to comply.
Mobile / portable devices that leave the building e.g. laptops will need to be encrypted / the data on the hard drive will have to be encrypted. USB sticks should also not be used in case they are stolen or lost. Company mobile phones will also need encryption to be enabled, without using a 3rd party service to do so.
If your company provides data processing services for anyone else’s personal data, you will need to consider your liability and be compliant with the new EU regulations.
Only having to deal with one supervisory authority rather than a different one for each EU state should simplify things for businesses like yours, although EU citizens will still be able to register any complaints to the data protection authority of their choice.
GDPR provides an opportunity as well as a threat to your company / organisation. Becoming GDPR (and DPO) compliant could be a source of competitive advantage as other companies / organisations will be seeking to minimise their own risks by only associating with compliant partners / stakeholders.
You will no longer be able to rely upon simply listing data subject details e.g. for mail outs / to load into mailing programs, on excel spreadsheets. Shared files in non-secure formats that don’t have audit capability i.e. to show who updated it last are unlikely to be adequate or compliant, could pose a security / privacy risk to your company / organisation.
The Data Protection Act only covered Data Controllers as owners of the data, and outsourced controllers e.g. accounts or payroll, were your data processors and were, therefore, not part of your registration for the Data Protection Act. Under GDPR, any service that has access to, or that you are sending personal data to, has to be GDPR compliant, and a two-way binding agreement will be needed, stating that your data is secure with them.
Using remote access / CRM / foreign suppliers could be an area of risk for your company as regards GDPR compliance. Companies / organisations may wish to consider avoiding the use of certain foreign suppliers in countries not recognised by EU as not having adequate provision of data privacy laws.
If your company uses a cloud service e.g. Office 365, Azure or other, these services will need to be compliant by 25th May 2018.
Under GDPR, business emails should not be sent from a personal email address e.g. via your personal mobile, because this could give data subjects a ‘right of access’ to your personal email account.
Avoidance strategies suggested by some companies e.g. putting aside 4% of turnover to pay fines in order to avoid making the effort to be become GDPR compliant or relying on cyber insurance (or even shifting excess cyber insurance capacity to the Bermuda market) are unlikely to be successful or sustainable tactics going forward.
Globalnet aims to be an integral part of your success, providing the best business advice, superior IT support and technology to help you reach your goals.