The new rules for the EU’s General Data Protection Regulation (GDPR) have been published and published in the Official Journal of the European Union. Organisations now have 12 months to become compliant in time for the new law that will be active on 25 May 2018. The new regulation has accountability obligations, stronger restrictions and rights on international data flows. The businesses that value customer data should continue as they are. Organisations that presume consent and fail when it comes to data loss detection and reporting, have work to do.
Preparing for GPDR
All businesses need to evaluate the personal data they have. Create a data flow map that will show the pattern of the data in the company. The business can use it to see who sees the data and where that data ends up within the organisation. The next step is to create and perform risk assessments in order to understand the threats that are a result of data processing as demanded by the GDPR. The risk-based approach is essential, as is the development of appropriate controls. Management must understand and recognised the risks of data loss, misuse, theft and any form of compromise to the customer data. Businesses must also check all third parties they pass data on to can provide sufficient guarantees that they have high standards of data protection and security.
Create a Data Breach Response Plan
The GPDR requires all businesses to be prepared by creating a breach notification plan. This plan can be implemented if something goes wrong with the collected data. Understanding your data categorisation and the data flow makes it easier to create a response plan. The plan needs to include details on who will co-ordinate the customer communications along with the response in the media and remedial activity. The plan should be rehearsed to ensure everyone is aware of what to do in response to a breach.
12 Steps to Take Now
The ICO have come up with 12 steps that organisations should take now in order to prepare. The 12 steps are listed are:
- Awareness – decision makers need to be made aware of the GDPR and the impact of the new law.
- Document the personal data held in the organisation, how it comes into the business and where it is shared.
- Review current privacy notices and create a new plan for necessary changes in time for 25 May 2018.
- Check your procedures cover the individual’s rights.
- Update your procedures and plan how to deal with access requests.
- Examine and document the types of data processing performed in the business and the legal basis for the processes.
- Review how you request, obtain and record consent for taking data and decide if changes are required.
- The creation of systems to verify ages and the collection of parental consent for data processing activities.
- Check procedures are able to detect, report and investigate data breaches.
- Understand privacy impact assessments and know when they are to be implemented.
- Designate a Data Protection Officer, someone who will be responsible for data protection compliance.
- International organisations need to establish which data protection supervisory they fall under.
The new law will require some businesses to perform extensive work and may require large investments of time and money. The year you have left to become compliant will pass by very quickly. Start working on becoming compliant sooner rather than later.