We ask industry specialist Jim Sneddon some FAQs for strategies towards GDPR compliancy
As you are aware, the General Data Protection Regulation (GDPR) will become enforced in May 2018. It is the largest overhaul of data protection rules in decades and affects all organisations, bringing a multitude of obligations to ensure that personal data of EU citizens is securely and effectively protected.
Breaches of privacy can lead to limitless financial penalties, bad press, damaged reputation, loss of trust from customers, loss of business and for employees the prospect of disciplinary action.
Ensuring GDPR compliance could have significant resource implications, especially for larger organisations, which may be difficult to execute if preparations are left until the last minute, so start the process towards GDPR compliancy today.
We speak to Industry specialist, Jim Sneddon at AssureData about the frequently asked questions around GDPR compliancy:
Q: Is it just personal data or does GDPR extend to business related data too?
The GDPR only relates to the personal data of a living person who is a resident, or citizen of the European union. If an individual can be identified by that data whether it is a business email, or not, then it is within scope.
General business data, such as a switchboard number or group mailbox is not within scope of the regulation.
Q. Do all employees need to understand GDPR?
Yes, data privacy is relevant to, and the responsibility of everyone in your organisation. Ensure all employees within your organisation are aware of GDPR and the changes and impact this is likely to have. Where possible, provide training and solutions to assist. Document best practices for handling personal data and ensure all employees understand the implications.
Q. Does my organisation need to register with the Information Commissioner’s Office?
Under the Data Protection Act individuals and organisations that process personal information need to register with the Information Commissioner's Office (ICO), unless they are exempt.
Q. How does our organisation prepare for the new rights of individuals, handling subject access requests, consent and data breaches?
The ICO website offers an online tool that helps highlight the key areas your organisation will need to improve upon.
Q. How does our organisation assess current compliancy levels?
The ICO website provides an online tool that assesses your high level compliance including registration, fair processing, subject access, data quality, accuracy and retention.
Q. Do I need to devise a GDPR compliancy plan?
Yes, each organisation should perform an analysis of the current position concerning compliance and devise a strategy that prioritises steps that show measurable risk reduction.
Q. Will we need to carry out an information audit?
Assess what personal data is held, where it came from, whom it is shared with, and what are the lawful reasons for processing this data...If there aren’t any, delete it. An information audit may need to be completed across the organisation or within certain business areas in order to assess the data thoroughly.
Q. What steps can I take using the assets that already exist within the organisation?
GDPR compliance will require a combination of people, process and technology. Ensure that data is secure, enable functionality such as two-factor authentication and encryption if it is not already enabled and optimise existing systems and processes.
Simple steps can also be taken, such as enforcing policies and processes to protect personal data, ensuring desk drawers are locked, keeping desks clear of personal data, locking computer screens when not in use and disposing of personal data in confidential waste bins.
Q. Do we need to record all actions taken towards compliancy?
A requirement of the GDPR is that all actions taken towards compliancy are documented. If a breach occurs you will then have supporting evidence to assist the ICO to help mitigate any potential penalties.
Q. Do I need to employ a dedicated Data Protection officer?
Some organisations will require a dedicated Data Protection Officer (DPO) to take responsibility for data protection compliance within the business; any organisation can have a DPO.
However, it is mandatory to designate a DPO if you are:
A public authority (except for courts acting in their judicial capacity)
An organisation that carries out the regular and systematic monitoring of individuals on a large scale
An organisation that carries out large scale processing of special categories of data, such as heath records, or information about criminal convictions
Q. Will Brexit impact GDPR?
GDPR still applies to UK companies offering any type of service to the EU market, regardless of whether your business stores or processes data on EU soil and regardless of Brexit.
Q. What if we do nothing?
When the EU General Data Protection Regulation (GDPR) is enforced from 25 May 2018, breached organisations will find the fines they face increasing dramatically. From a theoretical maximum of £500,000 that the ICO could levy, penalties will reach an upper limit of €20 million or 4% or annual global turnover – whichever is higher.
Q. What are the next steps to take?
1. Check whether your organisation needs to register with the Information Commissioner’s Office
2. Employee a dedicated DPO (if required)
3. Assess current compliancy levels
4. Carry out an information audit
5. Devise a GDPR compliancy plan
6. Optimise existing systems and processes
7. Document best practices for handling data
8. Train all employees for effective data handling
9. Record all actions taken towards compliancy
BEING COMPLIANT PAYS DIVIDENDS
There are a number of areas where businesses can benefit:
Elevate customer confidence - The last ICO survey found 75% of adults in the UK do not trust businesses with their personal information, that feeling of lost control impacts consumer trust in the businesses that use their data. Becoming compliant and communicating this to your customers will promote trust and customer loyalty.
Improve efficiencies – Having cleaner, more accurate data allows organisations to be more efficient and targeted, helping to streamline processes and have a competitive advantage.
Reduce costs – By reducing the amount of excess data you store means reducing the amount of storage required and associated costs. In addition, employees save time by having access to accurate and relevant data.
Increase productivity - Marketing campaigns become more targeted and more successful due to the quality of the data now held.
Start the process of becoming GDPR ready today.
Need further information?
If you require further information about GDPR and how our solutions ensure compliancy, please do not hesitate to contact the team on 020 8979 3000 or email firstname.lastname@example.org
Viewdata is a specialist Apple IT service provider, delivering nationwide Mac Management solutions to businesses, retail, education, healthcare, local government and the financial sector for over 25 years.
Our solutions and services include:
IT Support | Mac IT Support | Cross-platform IT Support | Mac Integration | Apple Reseller | Apple Hardware | Apple Certified Engineers | Zero-touch Deployment | Mobile Device Management | iPad Support | Business Continuity solutions | Data Back-up Services | Jamf Gold Reseller | Centrify Select Partner | Adobe Licensing | Cloud Solutions | Apple Hardware Leasing | IT Accessories | IT Relocation Services | VoIP