The General Data Protection Regulation (GDPR) is a meaty subject and one which has been on everyone’s lips since it’s announcement earlier this year. There’s no doubt mass confusion and uncertainty has ensued regarding the steps businesses and individuals within those businesses need to take to negate the risk of liability.
What’s more, I’m not sure people fully understand the sheer amount of work which needs to be done to achieve compliance in such a short timespan. For example, staffing levels are reported to reach a massive 28,000 data protection officers in Europe alone.
So, here is a nice digestible overview of what the GDPR could mean to you…….
What exactly is it?
The GDPR basically gives individuals more say over what organisations can do with their personal data (which can be anything from physical, physiological, mental, economic or cultural data and more). It introduces tougher fines for non-compliance and breaches and ensures data protection rules are more or less identical throughout the EU. From a theoretical maximum of £500,000 that the ICO could levy penalties will reach an upper limit of €20 million or 4% of annual global turnover – whichever is higher, which is quite frankly, an unthinkable amount!
And don’t start thinking Brexit can save you, because GDPR has a far wider geographic scope; if you hold any personal data for any company within Europe, you’re still liable. So, great news for individuals, however, it presents complex issues for organisations.
It’s coming for us, and soon…
The GDPR has been the biggest change to data protection in the last two decades, effectively replacing the 1998 data protection act. The European Union has set the target date of the 25th May 2018, whereby companies must be compliant with the newly published rules to drastically improve their data privacy policies and so planning (not to panic you) needs to be well underway as we speak.
What this actually means for your businesses
If you’re at board level and reading this article, then you’re more than likely feeling a little nervous, but it’s all about being prepared. Early preparation is key, as although the GDPR sets out a framework, it doesn’t set out to exactly comply. By preparing for GDPR now, you can anticipate its effects instead of being surprised. One of the most significant changes is accountability because the GDPR requires you to show how you comply with the principles, for example training your employees, which processes and policies you have in place etc.
Consent, consent and more consent
Businesses need to be extremely clear on how they’re using personal data; it will be important for organisations to explain exactly what personal data they are collecting and how it will be processed and used. They need to gain explicit consent and without an opt-in process, again, businesses are liable.
Do I need a Data Privacy Officer?
Some organisations will need to appoint a Data Privacy Officer and by the time May 2018 reaches us, data privacy experts are predicting a shortage of DPO’s and so if you’re an organisation who will need to recruit, then you need to start thinking about this now. Remember the GDPR is a continual process, not a one-off task.
Make sure all organisational decision makers are on board
GDPR means slightly different things to different people within an organisation. As a CEO your view is the entire business and how each area complies. As an IT Director, all of your systems must comply with the GDPR; you’ll need to think about your HR data/system, your payroll solution, CRM, website and newsletter registrations, social media accounts, access control systems, CCTV etc, the list goes on. As a Finance Director, your main aim is to NOT GET FINED and so naturally you also have a huge interest and focus in each area.
Then we have the HR professional. In short, it will have a huge impact on HR departments. HR manage employee information; therefore personal data. If you’re currently using manual processes such as spreadsheets or other means, it’s going to be extremely tricky for you to demonstrate compliance. Of course, data protection touches on almost every HR activity, from recruitment to performance management and even after an employee has left your business. Therefore, it’s important to understand how you can approach your processes differently.
You must think about how you collect your data, how it’s used and finally, how it’s retained. How is it secured? Can you prove that you have not breached an individual’s information? And so on…
Benefits of an HR solution
HR software, especially cloud solutions – can be hugely helpful in ensuring that your organisation is fully compliant. We are working with Fifth step, a strategic partner who will make sure that we, as a software provider, are compliant and together we can take the onus away from you, ensuring your HR processes are GDPR ready by the time May 2018 strikes. As a trusted Salesforce partner, it’s obviously important for us to understand how they will be approaching the GDPR and the below is taken directly from the Salesforce website.
Salesforce’s Commitment to Data Protection
“At Salesforce, trust is our #1 value and nothing is more important than the success of our customers and the protection of our customers’ data. Salesforce’s robust privacy and security program meets the highest standards in the industry. We have consistently reinforced our commitment to protecting our customers’ through our actions over the last few years.
Additionally, Salesforce’s Trust and Compliance documentation describes the architecture and infrastructure of our services, the security- and privacy-related audits and certifications our services have received, applicable administrative, technical, and physical controls, and sub-processors and other entities material to our services.”
– Appoint one of your Directors as accountable. If a DPO is required, in what area of the business will this person reside?
– Identify your existing data systems and what personal data you process
– Identify the steps you need to take to be ready for GDPR
– Review your current documentation relating to data protection and consents including contracts, handbooks and policies
– Establish a data breach policy and a data retention and storage policy
– Ensure suppliers are compliant
– Ensure staff are suitably trained in GDPR requirements.
If you’re feeling bogged down by this subject, make sure you give us a call on 0800 043 2923 or contact us here. In collaboration with Fifth Step, we can help you take the steps you need to get the ball rolling and stop fearing the consequences.
We will feature a series of GDPR related articles and campaigns over the coming months, so watch this space…