The clock is now ticking before the General Data Protection
Regulation (GDPR) comes into force across Europe. Organisations have 2
years from today to assess how the new regulation affects them, and implement
any necessary measures to ensure compliance by 25 May 2018.
Don’t forget, the Data Protection Act 1998 (DPA) isn’t going
anywhere for the time being – if you are complying with best practice under the
DPA, then you on the right path, but depending on the nature of your business,
you may have a way to go.
The implications for any company’s reputation for non-compliance
with data protection law have always been significant, but with relatively weak
punitive measures. Under the GDPR the
potential punitive measures are huge, with possible fines of up to 4% of annual
worldwide turnover or €20 million.
So, what steps do you
need to take?
The ICO was quick to produce a guide
on 12 important steps to take in the short term. It’s time now for
organisations to start delving into the detail. The important thing is
not to get fazed - your approach should be based on a set of fairly simple
principles. In a throwback to ‘back to basics’ Pritchetts have distilled
these principals down to the 4 R’s:
1)
Review
Or rather, what’s the state of the nation? It’s vital to understand how your organisation works now, mapping out how (and what) information flows around it, how and where it is stored, and who has access to it.
Next you should review the new regulations and highlight what elements of the new regulation framework are most relevant to your organisation.
Finally, undertake a gap analysis to identify how your current processes and systems measure up against the current law under the Data Protection Act 1998, and GDPR – what are the gaps that need to be filled now, and in readiness for the GDPR?
2)
Risk Analysis
Once you’ve understood the ‘to do’ list, the chances are you
won’t have sufficient resources or management capability to oversee all
necessary changes at once. Defining your priorities, based on the risk to
your organisation of not acting is vital.
Consider both the likelihood of something going wrong, and the magnitude
of the impact.
3)
React
You’ve got your priority list, now it’s time to make the
necessary changes. You will likely need additional resource. This could
be additional people, new skills, technological solutions or physical
infrastructure (eg new data centres).
It’s also probable that compliance with the GDPR will at
best alter the budget but most likely increase the operational cost of most
organisations.
Consider the value of creating a compliant solution. Your
clients and competitors should be going through the same compliance exercise.
If they are not doing so or they are saving this up as homework to do on the
last possible day, you may be able to gain a real competitive advantage by
offering a compliant solution straight away.
4)
Review again
Someone once said “nothing stands still, except in our
memory”. Based on your risk assessment, your organisation will need to
determine how often all of the measures you have put in place, need to be
reviewed and/or updated.
If you require any expert advice on how to assess your GDPR
readiness, to develop your project plan, and to help you create a compliant
solution, please don’t hesitate to get in touch with us.
No comments:
Post a Comment