GDPR – Are You Ready?

0

It is less than a month until the General Data Protection Regulation (GDPR) comes into force, but after two years of preparation, how many businesses are GDPR ready? The latest flurry of figures suggest that many businesses are nowhere near prepared for the new legislation’s demands that they: re-establish a legal basis for using people’s data (whether that’s consent or otherwise), are able to quickly respond to subject access requests, can delete people’s data if asked to, the list goes on!

So, what does all this mean for your organisation? Well, firstly, there is no need to panic. Hopefully, you have made a start on your compliance journey, even if you’re not going to make the deadline.  Any business that deals with personal data in the UK is currently bound by the terms of the Data Protection Act.  If you comply with the Data Protection Act, then you will have made a great to start towards GDPR compliance. Regardless of GDPR, any business that takes the needs of its customers seriously will already be taking all the appropriate steps to protect its customers information.  Cyber crime and data theft is ever increasing, and organisations must be prepared for a breach and be confident they can deal with it quickly with minimum fall out. Reputational damage can lose you customers and seriously dent your profits.

There has been much GDPR hype over the last few years with talk of extortionate fines and punitive actions should your business fail to comply. The frenzy whipped up by the media and the new GDPR “experts” is unfounded says Elizabeth Denham, the Information Commissioner.  The Information Commissioners Office (ICO) do not intend to start dishing out harsh fines as soon as the regulation comes into place and neither will they target smaller organisations because they will be easier to catch.  The purpose of the ICO has always been to protect peoples’ data and to help business to do this by providing policy and guidance. It follows the carrot before the stick approach and has always viewed issuing large fines as a large resort. Ms Denham has been quoted as saying the implementation of GDPR will not alter this business-friendly approach.

That said, there is no denying the new regulation and the obligations placed upon all business to comply. At this late stage with a round a month to go, all organisations who have not yet addressed GDPR should try to achieve as much as possible in the run up to the 25th May deadline, to build up their compliance and demonstrate that information security is a priority for their business.

  • It is important to show that your organisation takes GDPR seriously and has taken action and has a plan in place to become GDPR ready.
  • Evidence of action taken is crucial.
  • Review all the personal data you hold, where is it, what is it, why do you need it, how long you need to hold it for, and who do you share it with.
  • Identify whether you are the data controller or data processor of this data.
  • Review of all policy and procedures in place around data protection and identify any gaps.
  • Review all contracts, who process personal data on your behalf, update all contracts with a data privacy clause which shows that processor is protecting the data on your behalf as the controller.
  • Demonstrate that you have a tried and tested Incident Response and Data Recovery plans in place should a breach occur.

You’re far less likely to suffer a significant fine if you show documentation of the GDPR compliant processes you have implemented and show a detailed roadmap of achieving anything that you still need to do.

GDPR isn’t all about the race to comply. Once you have tackled your data protection issues your customers will be happy, and you will have minimised the breach of data risk for your organisation. Everyone’s a winner!

RSS Feed Subscribe to our RSS Feed

Posted on : 30-04-2018 | By : kerry.housley | In : compliance, Consumer behaviour, Cyber Security, Data, data security, GDPR

Tags: , , , ,

Write a comment