The clock is now ticking before the General Data Protection Regulation (GDPR) comes into force across Europe. Organisations have 2 years from today to assess how the new regulation affects them, and implement any necessary measures to ensure compliance by 25 May 2018.
Don’t forget, the Data Protection Act 1998 (DPA) isn’t going anywhere for the time being – if you are complying with best practice under the DPA, then you on the right path, but depending on the nature of your business, you may have a way to go.
The implications for any company’s reputation for non-compliance with data protection law have always been significant, but with relatively weak punitive measures. Under the GDPR the potential punitive measures are huge, with possible fines of up to 4% of annual worldwide turnover or €20 million.
So, what steps do you need to take?
The ICO was quick to produce a guide on 12 important steps to take in the short term. It’s time now for organisations to start delving into the detail. The important thing is not to get fazed - your approach should be based on a set of fairly simple principles. In a throwback to ‘back to basics’ Pritchetts have distilled these principals down to the 4 R’s:
Or rather, what’s the state of the nation? It’s vital to understand how your organisation works now, mapping out how (and what) information flows around it, how and where it is stored, and who has access to it.
Next you should review the new regulations and highlight what elements of the new regulation framework are most relevant to your organisation.
Finally, undertake a gap analysis to identify how your current processes and systems measure up against the current law under the Data Protection Act 1998, and GDPR – what are the gaps that need to be filled now, and in readiness for the GDPR?
2) Risk Analysis
Once you’ve understood the ‘to do’ list, the chances are you won’t have sufficient resources or management capability to oversee all necessary changes at once. Defining your priorities, based on the risk to your organisation of not acting is vital. Consider both the likelihood of something going wrong, and the magnitude of the impact.
You’ve got your priority list, now it’s time to make the necessary changes. You will likely need additional resource. This could be additional people, new skills, technological solutions or physical infrastructure (eg new data centres).
It’s also probable that compliance with the GDPR will at best alter the budget but most likely increase the operational cost of most organisations.
Consider the value of creating a compliant solution. Your clients and competitors should be going through the same compliance exercise. If they are not doing so or they are saving this up as homework to do on the last possible day, you may be able to gain a real competitive advantage by offering a compliant solution straight away.
4) Review again
Someone once said “nothing stands still, except in our memory”. Based on your risk assessment, your organisation will need to determine how often all of the measures you have put in place, need to be reviewed and/or updated.
If you require any expert advice on how to assess your GDPR readiness, to develop your project plan, and to help you create a compliant solution, please don’t hesitate to get in touch with us.