When it’s fully implemented on 25 May 2018 the new regulation will be a significant step change from what organisations are currently used to, with stricter laws governing how companies manage their customers’ and employees’ personal information.
Intended to strengthen and unify data protection for all individuals across the EU, its requirements include the obligation to report any data breaches to regulators and customers within just 72 hours and to obtain and maintain proof of consent before an individual’s personal data is processed. Any infringements to the rules could result in potentially massive fines – 20m Euros or up to four per cent of a company’s global turnover for the previous year, whichever is larger.
And despite the UK’s vote to leave the EU, British organisations will still be affected as it applies to any company serving EU residents irrespective of whether their business is based within an EU member state.
To protect both themselves and their organisation directors, non-execs and trustees are duty-bound to minimise the risks and now is the time to start preparing. Five key elements needed for successful data protection demand close attention right away.
Investing in technology
Over two thirds of UK IT professionals expect to invest in new technologies or services – such as encryption, analytics, perimeter security and consent management – in preparation for GDPR. But this doesn’t have to mean a complete overhaul of existing IT infrastructure. Companies and organisations can invest in data protection technology that fits with their existing systems, is flexible enough to be tailored to their needs and can evolve as the landscape changes.
Read more on data:
- Barclays encourages UK SMEs to use big data for growth with new online service
- Companies that safeguard data privacy will reap rewards
- Security of personal data – are you complying with your obligations?
Designing for transparency
This new level of scrutiny around how personal data is stored and protected means all businesses will need to put processes in place that encourage transparency at every level of the organisation.
One lesser discussed aspect of GDPR is the Subject Access Request – the right for an individual to request access to their personal data and demand details on how it has been processed by an organisation. For those business areas that process such data but are shielded from external scrutiny, this will be a rude awakening. So a top to bottom review of all data and activities involving personal information – extending far beyond the obvious IT departments – will be essential.
Making employees aware
An ongoing education programme for all employees within an organisation will also be crucial for much the same reason. This needs to go right down to the basics – how staff should take notes and record information about customers, prospects and employees in anticipation of such information one day being subject to a data access request.
Insuring against risk
Companies will have to review their insurance policies to ensure they are properly protected against the huge risks associated with GDPR fines. For example, while EU legislation and the cost of compensation claims made against a business’s directors and key managers is usually covered as standard under directors’ and officers’ liability insurance, some uncertainty still remains around coverage for GDPR related claims. To minimise the personal impact to the leadership team, the Board should check with their insurance provider to ensure they are properly covered.
Reducing toxic data
Collecting and accessing more information than is needed has become common practice at many businesses and organisations. But GDPR raises the question: just how much data is enough?
Every organisation should now ask itself this question as far too many are sitting on frightening amounts of potentially toxic data which, if ever hacked or leaked, would do untold reputational damage. Significantly cutting the amount of information being gathered could ultimately make it easier to protect and more cost effective to gather, store and manage.
Without doubt, GDPR will have a significant impact when it is fully implemented in just under two years’ time. But the new regulation does not have to be a threat and could even bring about a wider – and positive – organisational transformation when it comes into force, so long as those at the top make the right decisions before it is too late.
Simon Loopuit is CEO of personal data storage and protection specialist trust-hub.
Meanwhile, Rick Jackson, the CMO of data analytics firm Qlik, talks about how small and medium sized business leaders can make better use of the data available to them.