By 25 May 2018, any business that handles the personal data of EU citizens will need to comply with the General Data Protection Regulation, or GDPR. The incoming Regulation will introduce new and significant obligations to businesses that handle personal data and impose stringent sanctions for breaching the rules, including fines of up to 4% of global turnover or €20m, whichever is greater.
Some of the most important changes include: new rules on notifying authorities in case of a data breach; a right to data portability under which individuals can request to receive their personal data to transfer it to another service; the right to erasure whereby businesses must erase personal data if the individual requests it; an obligation under certain circumstances for businesses to undertake data protection impact assessments before processing personal data; and an obligation for businesses which conduct certain types of processing to appoint a data protection officer.
>See also: The road to GDPR implementation: challenges and opportunities ahead
With under a year to go, many businesses have not started preparations, and will need to develop and implement a strategy for compliance.
Every organisation that processes the personal data of EU citizens will require a tailored strategy depending on, among other factors, company size, the types and amount of data it processes, and its current security and privacy measures. It is highly recommended that businesses seek legal advice to determine what may be required in their specific situation. However, there are common requirements that will affect all businesses – even the very smallest – that handle personal data.
1. Understand your data
The first step on the road to GDPR compliance is to understand how personal data is stored, processed, shared and used within your organisation. A thorough audit will require a comparison of your current practices with the requirements under the new regulation, and thinking about what changes you will need to make to achieve compliance in a way that best suits the needs of your organisation.
Remember that fulfilling GDPR obligations goes beyond the policies and measures of your own organisation, and extends to any providers which process personal data on your behalf.
2. Determine ownership for data protection in your organisation
Certain organisations will be required to appoint a data protection officer. All will be required to adopt a data protection compliance programme. You may need to strengthen your data protection policies and provide training for staff.
>See also: A 6-step action plan for complying with GDPR
Not all businesses will need to appoint a DPO, but guidance suggests that they are essential to businesses engaged in two kinds of work – large scale processing of specific categories of data, or large scale monitoring of individuals’ data – like online behavioural ad targeting.
3. Ensure a legal basis for data processing
Your business will want to review what legal grounds you’re currently using for processing different types of personal data. If you’re using consent as a basis for processing data, you’ll need to consider how you obtain it and be able to clearly demonstrate how and when it’s been given.
4. Understand the rights of data subjects
Under GDPR, any individual whose data you process has new rights including the rights to access their personal data, or have it corrected, erased or ported electronically.
Can your business find, erase and move customer data easily? Do you have the capabilities to quickly respond to requests about personal data? Does your business, and third parties you work with, keep records of where data is located, how data is being processed and where data is located and has been shared?
5. Ensure privacy by design
Under GDPR, businesses are required to consider privacy by design from the outset when developing any new project, process or product. The underlying idea behind privacy by design is that building privacy into any project at the start, rather than bolting on privacy measures as an afterthought, minimises privacy risks.
>See also: GDPR compliance: what organisations need to know
Have you ensured that access to personal data is limited to only the people within your business who require it? In certain circumstances, you will want to conduct privacy impact assessments before processing personal data.
6. Prepare for breach management
Your business will need to have appropriate data breach management policies and processes in place. Make sure you understand which authorities you need to report a data breach to and the timeframes involved. Failure to report a breach properly – as well as breaches themselves – can incur fines.
7. Communicate essential information
Under GDPR, you will be required to communicate to individuals the legal basis for processing their data and make sure they are aware of the authorities they can complain to in case of problems. Make sure your online privacy policies are up to date.
8. Work with your providers
GDPR compliance requires consideration of your data security end-to-end, including providers which process personal data on your behalf. Using a third party data processor does not exempt a company from their GDPR obligations.
>See also: Why data suppression is key to GDPR compliance
Consider whether your data processors have world-class data protection standards, experience of managing data security at scale, and tools that can help you improve data governance and mitigate breach risks.
Check whether your provider has achieved international recognised standards for data security and protection, such as ISO 27018. Ask your provider about their network and information security (e.g. their encryption and application-level controls), security policies, training and risk assessments, and testing measures.
On the flip side, third party IT services can also help businesses, especially SMEs, achieve compliance. Adopting cloud-based services which have been built with security and privacy from the ground up can help businesses with their GDPR compliance preparations.
Look at how some cloud services can help you control access to data within your organisation, help you respond to requests from individuals about their data or help you improve security.
Sourced by Gazala Haq, head of Policy, EMEA at Dropbox
The UK’s largest conference for tech leadership, TechLeaders Summit, returns on 14 September with 40+ top execs signed up to speak about the challenges and opportunities surrounding the most disruptive innovations facing the enterprise today. Secure your place at this prestigious summit by registering here