The General Data Protection Regulations (GDPR) will come into force in May 2018. The Regulations will become part of the growing legislative framework for data protection and security, and will have an impact for every size of company across the business landscape.
But what exactly will it mean for your company?
Speaking in March, Information Commissioner Elizabeth Denham outlined the changes that the Regulations will introduce to the legislative agenda, and the greater emphasis they will place on companies of all sizes to take responsibility for how they receive, handle, process and destroy data.
Designed to provide greater protection for consumers, the regulations will oblige companies to implement more robust safeguards on personal data at every stage of the interaction process, and increase accountability.
Under GDPR, UK citizens will benefit from new or stronger rights to:
- Be informed about how their data is used
- Increased data portability across service providers
- Have their personal data erased and deleted – the ‘right to be forgotten’
- Access the personal data an organisation holds about them
- Correct inaccurate or incomplete information that a company holds
- Make decision over automation and profiling.
All companies will be expected to meet these standards once the Regulations have come into force, regardless of size, sector or mission.
Experts have warned that businesses are unprepared for the new rules coming into force, which will be enforced through a system of fines applied in proportion to the severity of breaches.
If you are an SME, then, you should be mindful of the GDPR, and focus on the opportunities to improve that the Regulations can provide. With the changes, you should expect to transform the way you think about data, how you manage it, and how you can use the process changes required as a mechanism to make improvements to the customer-facing side of the business.
Practical steps you can implement to help your company prepare for the changes and stay ahead of the curve include:
- Develop a Data Security Policy. No matter the extent of the data you handle, you will need to have clear objectives and commitments in place to comply with the Regulations. If you already have a policy that complies with the Data Protection Act, you can adapt this to include your arrangements to meet the rules above.
- Decide who is responsible for ensuring data security, and implementing your Policy. Accountability is key in developing effective processes, and your new or adapted Policy should include a section for responsibilities across the organisation.
- Develop a strategy for demonstrating how you have complied with the Regulations. Your Data Security Policy will support any assurances you make, but will not be sufficient on its own. Consider the records you keep for training, policy reviews, process adaptations, internal audits, release of information to customers, and consultation with your workforce. All of this can be used to demonstrate compliance where requested. This becomes particularly important if you regularly answer tender questionnaires for contracts, or if you are audited periodically by customer organisations.
- Train your workforce in the new Regulations, their significance, and how they can help you to comply across all of your operations. Training providers are already offering opportunities for companies to teach their staff how to comply with the Regulations in an effort to avoid getting stung with a fine once the new rules come into force. Even if you think you have made appropriate arrangements, there is always a chance that you may have overlooked or simply misinterpreted a vital component in your system. With enforcement notices and fines on the table if you are found to be non-compliant, it will pay in the long run to invest in information and training for your workforce.
- Coordinate with your supply chain and identify where personal data is received through them, and how you can integrate your processes to ensure no cracks in the system can lead to breaches. Similarly, your customers may receive personal data from people you deal with, and you will need them to demonstrate that they have safeguards in place that match your own high standards. How will you achieve this? Second party audits of the same type of compliance evidence you keep are one way.
- Design privacy into the service you provide. Whether you are a building contractor, law firm or print merchant, the receipt and use of customer data is an inevitability. How can you offer assurances that customers’ privacy and rights listed above will be safeguarded before you receive and process their data? How can you adapt your processes to reduce the need to receive a large amount of data, and how can they be audited to verify this?
- Consult with your workforce. As you hold personal data on all of your employees, they will have an opinion on how they would like their data to be used. For instance, data analytics company SAS found that 21% of adults intend to ask for personal data their employers hold on them to be removed once the regulations come into force. Once you have listened to the requests of your workforce and implemented actions to meet them, you may well find that you have developed useful systems and processes that can be utilised to serve your customer base, or be used as evidence to demonstrate compliance.
Ultimately, the best way to ensure you move in the right direction towards compliance is to make a genuine effort to learn about the Regulations, and demonstrate to your customers, employees and stakeholders that you are interested in safeguarding their personal data. The reaction to the announcement of the GDPR indicates that people welcome the rules, and all businesses, no matter what their size, will need to transform the way they think about data security to match this enthusiasm.