Like it or not, General Data Protection Regulation (GDPR) is coming, and it will affect your business. Make sure your business is ready before the May 2018 deadline.
The EU’s GDPR is coming in May 2018 and it will affect all sorts of organisations in the UK, even despite Brexit. In our last article, we discussed the fines that face businesses that fail to comply with GDPR when it comes into force next year. Based on the size of the figures, it is so important that you ensure your business is ready to comply with GDPR. Being unaware is not an excuse.
To help you out, we at entrustIT have put together this handy guide of five important steps your business can take to get yourself ready for next May.
1. Review and plan
This seems like an obvious one, but many organisations will not adequately plan for the GDPR changes.
Have a detailed review of the methods you have in place to protect your data. Keep in mind that GDPR fines are imposed in the event of a data breach. Is your business data secure? Is it backed up regularly? Are the servers holding your data constantly monitored against threats? Do your consent processes meet GDPR standards?
These are just a handful of the really important questions you will need to ask yourself as you prepare for GDPR. Asking, and indeed answering, these questions is the first step to developing a plan for what needs to be changed before May 2018.
It may be prudent to work with a partner with a strong tech security focus. Your partner will be able to advise you on the best ways you can get yourself GDPR ready. In some cases, your partner will be able to bring your data into their ecosystem, therefore storing your data to the standards required in GDPR. Most Managed Service Providers (MSPs), such as entrustIT, will be able to do this for you.
The process of planning and implementing data protection changes is likely to take plenty of time. At time of writing, there is just over a year until GDPR takes effect. It is therefore crucial that you begin planning immediately.
2. Test your defences
Since GDPR fines are in place to punish organisations with weak cyber defences, making sure your cyber defences are strong should be a top priority. You may wish to perform penetration testing, which is a test that outlines where the vulnerabilities in your organisation lie. If you have the resources to do this internally then do, but if not, it would be a good idea to find a company to do this for you externally.
An organisation with strong cyber defences will have strong backup and disaster-recovery methods built in to their cyber infrastructure. Their servers will have monitoring tools in place to ensure that any intrusions are stopped before they can spread and cause real damage.
For larger organisations with more financial clout, this is something that can be done in-house. However, small or mid-sized organisations may benefit from seeking the advice of a cloud services provider, such as entrustIT. At entrustIT, security is built in to all our systems and we can help you get your data stores to a GDPR ready state.
3. Get acquainted with your Data Protection Commissioner
As I discussed in the previous article, each country in the EU has a Data Protection Commissioner’s Office. In the event of a data breach, it is your responsibility to notify the relevant authority for your country. In the UK, this is the Information Commissioner’s Office. The full list of Data Protection Commissioner’s Offices in the EU can be found here.
Engaging with your relevant commissioner will help you to get valuable advice for GDPR compliance, as well as educating your employees as to who they need to go to in the event of a breach. It would be wise to have the contact details of your relevant Data Protection Commissioner stored in an easy to access folder or on display somewhere in your office.
The reason for doing this is that a data breach is a stressful time. In times of stress, mistakes can be made. Having the commissioner’s details easy to access will help to ensure that you contact the correct commissioner and that you are reminded to do so. Remember, you have a 72-hour deadline with which to do this before incurring fines.
74% of UK SMEs had a data breach in 2015. It can happen. The lesson from Hatton Garden is that a determined intruder is difficult to keep out, but being prepared is key to minimise damage.
The process for compliance is a long one. As a result, you may need to prioritise actions that present the highest risk to the business if left unchecked. These priorities will be different for each organisation, since every organisation has a different level of data security and has different strengths and weaknesses.
Take into account how long each process will take to complete. This may affect how you prioritise. Secondly, be realistic and maybe even critical of your current position. It is better to be over prepared than under prepared.
It may not be possible to be completely compliant for GDPR when it comes into effect in May 2018. This is particularly true as the deadline looms. It is therefore crucial that the areas that present the biggest risk to you are addressed first. For example, your organisation may already have strong server monitoring, but not a clear consent process for data processing. In this scenario, it would perhaps be foolish to spend the next 12 months strengthening your server monitoring at the expense of the consent process.
When you have planned, tested and prioritised the measures you need to take to ensure GDPR compliance, it is time to implement the measures.
Implementation measures may include data mapping exercises, drafting notices and policies and conducting training and audit programmes. For your organisation to be GDPR compliant, it is important that all members of your team are pulling in the same direction. Therefore, ensure that they are aware of GDPR, what it is, what the consequences are, and what policies they need to adopt to prevent falling foul of the regulation.
Your staff must understand why it is important to be GDPR compliant, or else some of the new processes they will need to undertake may feel like an unnecessary burden and be neglected.
If your organisation requires one, you must hire a Data Protection Officer (DPO) [see previous article]. Ensure that your DPO is a GDPR expert and give them all that they need to continually keep your organisation compliant. You’ll thank them for it.
GDPR seems daunting, but with detailed planning and the right information you can ensure you are compliant without too many headaches. Hopefully, these last two articles have helped cut through some of the complexity surrounding GDPR.
If you have found this helpful, please share it among your friends and colleagues, and download our essential GDPR white paper here.