General Data Protection Regulation: How to Prepare
From 25 May 2018, new legislation concerning personal data will come into effect across the EU. Here's what your business should be doing
For UK businesses of all sizes, protecting personal data, both physically and electronically, has never been more important. The data protection landscape has changed rapidly in recent years and is heading for its biggest shake up in some time with the incoming General Data Protection Regulation (GDPR).
The GDPR outlines how the data of any EU citizen must be handled, wherever in the world the company in possession of this data operates, making it a truly global piece of legislation. It comes into force on 25 May 2018. The requirements stipulated in the new legislation range from stricter rules around securing consent for the use of personal information to, in some cases, the introduction of a designated data protection officer within the workplace.
With just over a year to get ready, companies are advised to get ahead of the curve to ensure they’re adequately prepared for these new standards. Ensuring your organisation is fully compliant with the forthcoming regulations will protect your business and employees against the possibility of a damaging data breach, safeguarding against potential financial penalties of up to €20m. Above all, acting now will reassure your customers, partners and employees that you take their data protection seriously
To help businesses fully prepare for the new data protection legislation, and to help mitigate the risks of a data breach, Shred-it has provided six top tips for businesses:
1. Understand what the GDPR is, as well as its implications
It’s critical that businesses give themselves a head start by working with partners now to ensure they understand the legislation that will come into force in May 2018. A good way of doing this is by speaking to a legal adviser who specialises in data protection legislation so that you understand exactly how the regulation will affect your business.
2. Conduct an information audit
Businesses should take stock and document exactly how their data is processed, stored, retrieved and deleted through its lifecycle. If you haven’t already, introduce Privacy Impact Assessments (PIAs) into your organisation. These are risk assessments which identify areas where an individual’s personal data could be most at risk. Incorporating these will mean that data protection is front of mind from the outset.
3. Implement thorough data protection procedures that are compliant with the GDPR
Once a full audit has been conducted, think about what data protection policies could be introduced to further mitigate the risks associated with lost or stolen data. All options should be considered, from practical policies (such as a Clean Desk Policy) that help prevent data breaches, to response plans which enable businesses to act quickly when a breach does occur.
4. Develop a breach notification process
Put your organisation in the best possible position, in the event a breach does occur, by implementing a well-understood notification process and response plan. This ensures that even in the worst-case scenario, you and your employees will be able to act quickly to mitigate the damage. Additionally, from a legal perspective, certain types of breaches must be reported within 72 hours – having a process in place will buy you precious time.
5. Appoint a designated data protection officer
To ensure more responsibility is taken around data protection at all levels and to prepare for the incoming GDPR, appoint a data protection officer (DPO) to take ownership of overseeing data protection compliance and to assess where it sits within the organisation. Even for companies that may not possess or handle large volumes of sensitive data, it is still best practice to assign someone to oversee data control, not only to maintain privacy around personal data, but also to create a level of accountability within the business.
6. Train your staff regularly
It’s important that employees are trained frequently so that they are fully aware of the legislation, as well as their responsibility in protecting both their own information and information belonging to customers and colleagues. For this to be properly implemented, action must come from the top – executives and managers should foster a culture of security among their employees by being proactive when it comes to data security.
To learn more about the new data protection legislation, click here for a printable GDPR infographic