Businesses must get ready for the incoming General Data Protection Regulation (GDPR), which will aim to return control over personal data to citizens and unify the European Union within the same regulatory environment.
Replacing the Data Protection Act, GDPR is going to mean your organisation will have to change the way it handles personal information, or face a serious financial penalty. What does the regulation mean for your organisation, and what can you do right now to ensure you’re complying come May 2018?
A change of approach
“Parts of IT that have been unaffected by data protection laws in the past will need attention from businesses to ensure they comply with the new regulation.” (Karsten Kinast, KuppingerCole)
That said, new research shows that nine out of ten European businesses are “unsure exactly how to become compliant when the regulatory hammer comes down on May 25 2018.”
GDPR demands significant changes to the processes and culture around data security: something you can’t achieve overnight. On top of that, the hike in fines to as much as 4 percent of annual global revenue, or €20million (whichever is higher) makes the new regulation impossible to ignore.
To put this in perspective, if Tesco’s recent security breach had happened under GDPR, the company would have been fined up to €1.8bn. So, how do you start getting ready for GDPR?
What is GDPR?
Just in case you’ve been hiding under a rock for the last couple of years, GDPR stands for the General Data Protection Regulation. It’s a new set of Europe-wide laws that regulate how organisations must process and handle data relating to any EU citizen.
And yes, the government has confirmed that the UK’s decision to leave the EU will not affect the commencement of GDPR.
While there are tools available to solve some of the technical challenges of data protection, they are not enough on their own to demonstrate compliance.
On a practical level, the board will also want to take note of the fact that the UK’s Information Commissioner has already said that it wants the ability to hold directors to account.
Preparing for GDPR, therefore, needs to involve your legal team, IT specialists and the board. It demands an enterprise-wide change in mindset, with data security and identity management at its heart. This will require a buy-in from everyone in your organisation.
Where do I start?
May 2018 may seem a long way away, but you have a lot of work to do before that date. As Quentyn Taylor has said (in InfoSecurity magazine):
“Being ready is not just about getting a data protection course of policies, but how we are changing the culture of the company.”
The accountability principle means you have to develop a strategy for security management and data protection, and actively ask why you are making the decisions you are, reassessing and adjusting those decisions as necessary.
First thing’s first: if you haven’t started getting ready for GDPR, you need to start now. A good place to start is the ICO’s 12-step plan, which breaks down the key principles of the regulation into 12 manageable areas, such as data protection by design, consent and data breaches.
However you choose to start… you need to start now.
How prepared is your organisation for GDPR? We can help you comply. Take our 2-minute Cyber Security Assessment and receive a tailored report with suggested improvements to your company’s practice.