The General Data Protection Regulation (GDPR) came into effect on the 25th of May 2018 and has already caught out over 200,000 businesses in its first twelve months seeing data breach complaints go up by 160% and fines totalling 56 million euros – 50 million of which was paid by Google alone!
Failure to comply with GDPR can cost a business 4% of its annual turnover or 20 million euros (whichever is the higher amount) so this blog will list my top tips and best practices for staying compliant, handling data securely, and avoiding any large fines.
So, what is GDPR? GDPR is the European law that governs what companies and organisations can do with your personal data, and personal data is defined as any piece of information that can either be used on its own or with another piece of information to identify an individual. It was introduced because the previous data protection legislation was created back in the 90’s before any of us had smart phones capable of harvesting huge quantities of personal data about us, and companies like Facebook and Google since then, have been able to profit from its use, mostly through targeted marketing.
GDPR requires that companies are more transparent with people’s personal data and it gives control of that data back to the individual that it belongs to. This means that if a business has any data of its suppliers, customers or even staff, it must be stored securely and be readily available on request.
Storage of data also needs to be justified so if a good reason for having it cannot be provided, it could mean facing significant financial penalties.
To avoid a fine, make sure that any personal data stored is well organised and readily available if someone asks for it. Whether that be an individual, business, or an auditor, there must be a response within one month and it must be delivered accurately, in full, and free of charge. It is a good idea to create a process for doing this, and a process for deleting data should the request be made.
Secondly, as part of an organisation’s housekeeping, it is a good idea to regularly delete any information that has already served its purpose, and make sure that no data is kept unnecessarily without its owner’s consent.
GDPR requires that data is stored securely and protected against unauthorised access, so ensuring data is physically secured and under lock and key is crucial, as well as all hard copies being kept in a fireproof safe that is only accessible to authorised personnel.
Data also needs to be protected from remote access, so antivirus software and firewalls should be up to date on all devices, and measures need to be implemented to stop malicious hackers from gaining access and compromising business critical systems.
Next I would suggest creating a risk assessment and record of security measures that can be rolled out to your staff. This can be used to demonstrate the business’ best practices for data protection should an auditor come to visit.
When GDPR came into effect, consent to use data for marketing was changed from ‘opt-out’ to ‘opt-in’ meaning that consumers now have to take action to tick the box that gives permission to use their data., so it is advisable to have a clear and positive opt-in policy that can be kept as evidence with the other stored data. If some on then opts out again, it is vital that a rigorous and thorough process to ensure they do not receive anything else from you comes into play. Failing to do this is an easy pitfall and good way to get caught out by complaints and end up with fines.
Appointing a Data Protection Officer (DPO) is advisable: someone who is responsible for implementing the procedures and policies I have gone through. Initially it may be a good idea for senior management to take on the roll and then delegate these responsibilities once a thorough and complete understanding of GDPR compliance is gained.
Every organisation is responsible for implementing an incident management system, part of which will involve the DPO being responsible for reporting an incident to the governing body for data protection in that country. In the UK, that is the Information Commissioner’s Office (ICO), and this must be done within 72 hours of discovering a breach.