Countdown To GDPR: Can You Afford Not To Be Ready?
The General Data Protection Regulation (GDPR) comes into force across the EU on 25 May 2018. As there are severe financial penalties for failure to comply with the GDPR, being prepared is key to ensuring your business does not fall foul of the new rules. As the 12-month countdown has begun, now is the ideal time to assess your level of preparedness.
The GDPR regulates the manner in which businesses collect, store and process personal information about individuals. Not only does the GDPR introduce penalties of up to €20 million or 4% of global annual turnover (whichever is the greater), but it will also change the way personal information can be handled and protected.
Many companies have reviewed and reformed their systems in light of the GDPR, but for those that have not, the following steps should be taken immediately.
All decision-makers in your company should be aware of the GDPR timeline. Raising awareness is crucial to ensure systems that collect, store and process data are identified, and any risk areas addressed. An inventory should be made of all personal data currently stored, where it is stored and why.
Policies, contracts and website application forms should be reviewed to ensure they comply with the GDPR. Any consent provided by a third party regarding their personal data should be capable of being easily withdrawn. Businesses offering online services to children should consider how they obtain parental consent (and how this is verified). Detailed records of this review should be maintained so that it can be made available to a supervisory authority as required.
Plan how to deal with requests
The GDPR increases the amount of data that a controller has to give to a data subject. Where a person makes a data access request, a business has 30 days in which to respond.
It is important that procedures and resources are identified to deal with requests following the implementation of the regulations. The GDPR provides individuals with new rights such as a right to data portability, data erasure (right to be forgotten) and a right not to be the subject of a decision based on automated processing, including profiling.
Appoint a Data Protection Officer (DPO)
Where your primary activity involves large-scale processing of sensitive data or systematic monitoring of data subjects, the GDPR requires that you must appoint a DPO. A DPO can be an employee or contractor but should have expert knowledge of data protection law.
DPOs must be provided with the necessary resources to complete their tasks and for their ongoing training. The DPO must not receive any instructions or interference regarding their tasks from their employer, and they cannot be dismissed or penalised for the exercise of their role.
Be prepared for data breaches
The supervisory authority must be notified of a data breach within 72 hours. This requirement brings about an obvious requirement to have a response plan in place where personal data is compromised, eg from a cyber-attack.
Any regulation that imposes such high penalties must be taken seriously. Moreover, the introduction of the new rules will likely lead to a significant increase in litigation from aggrieved individuals who believe there has been non-compliance with the GDPR. It is crucial that organisations start their preparation now to mitigate their exposure.