June 30, 2017
The clock is ticking. On the 25th of May 2018 the EU’s General Data Protection Regulation (GDPR) will come into effect. While that may feel like a lifetime away, the reality is that if you haven’t already started assessing, planning and implementing processes to ensure your organisation’s compliance, time is running out.
What is GDPR?
In a nutshell, GDPR replaces the Data Protection Directive 95/46/EC, is designed to refresh data protection legislation, bringing it up-to-date with new, previously unforeseen ways that data is now captured and used, while making data protection legislation consistent throughout the EU. Along with these changes, the legislation introduces tougher fines for non-compliance, and gives the public more control over what companies do with their data.
Why it matters to your business?
If your company processes EU citizen’s personal data, whether it resides in the EU or not, it will be subject to the rules of the GDPR. With those rules come some seriously hefty fines.
From the information provided, it is understood that a two-tiered sanctions regime will apply. Breaches of GDPR by businesses, which are deemed to be most important for data protection, could lead to fines of up to €20 million or 4% of global annual turnover for the preceding financial year. For other breaches, the authorities could impose fines on companies of up to €10m or 2% of global annual turnover, in both tiers whichever is greater.
Who is responsible for It?
The two most obvious people in the company, with responsibility for the GDPR, are Data Processors and Data Controllers. A data controller is the person in charge of deciding how and why personal data is processed, whereas the processor is the individual or organisation actually processing the data, for example a third party IT firm, processing and storing the data.
However, the pervasiveness of technology in business and the complexity of data management, means the Chief Information Officer (CIO), Chief Security Officer (CSO) and even the CEO must get involved if the GDPR is to be effectively managed.
Getting GDPR ready
So what should you do to get your company GDPR ready? At NashTech we’ve been working with our consultation partners, Harvey Nash Recruitment Solutions, to help clients ensure all there I’s are dotted and t’s are crossed when it comes to GDPR.
Below are the steps we recommend your company take to get GDPR ready.
1. Map out your plan
Just as laying the foundation correctly is essential to building a solid house, taking the time to map out your GDPR strategy can help flag any unforeseen hurdles, align all stakeholders and save you major headaches down the road.
2. Assess, assess, assess
A thorough understanding how the GDPR trickles down through your company isn’t something you can achieve sitting around the board table. It requires a methodical assessment, that examines your technology, human resources and operational processes. This phase is crucial. Overlook a single department, process or server and risk facing those crippling fines I mentioned earlier.
3. Make a battle plan
From your assessment you should have a clear understanding of the most critical (and potentially exposed) areas of the business. The key now is to start pulling together all that information into an actionable ‘battle plan’, divvying out measures and deadlines to the key stakeholders. The battle plan should set out the resources, support structures and capabilities you require, and the timelines needed to get them to a sufficient level of maturity to confidently meet the GDPR requirements by May 2018.
4. Monitor and reassess
The GDPR directive is quite expansive and much of it is open to interpretation. With that in mind, it is imperative that you continue to monitor your battle plan and question if it still holds up in the face of changing technologies adopted by your company and reiterations enforced by the regulator.