GDPR – Gather, Document, Plan & Review!
With less than nine months until the 25th May 2018 deadline, organisations are still coming to terms with General Data Protection Regulation (“GDPR”) and its implications which will change the way we all do business.
Five Key considerations:
1) Whether your Company needs a Data Protection Officer and if so, who they will be -
If your Company requires the collection or storage of customer data, a Data Protection Officer (“DPO”) will be required. A key member of staff, DPO’s will play an important part in considering security controls and any business decisions that involve data. Companies will need to consider GDPR when implementing any new system or process in the workplace. (Although initially a hindrance, companies can then potentially market their compliance to attract more custom). If applicable the board should meet to discuss the appointment of a DPO at the earliest opportunity. The right candidate (either from within or outside the firm) should have a detailed understanding of the Company’s IT infrastructure, as well as knowledge of data protection law. They should be able to manage data protection compliance as well as reporting non-compliance to the relevant authorities, and they should be provided with the resources to fulfil the role, reporting to the board & avoiding any conflicts of interest.
2) Your reporting regime - The GDPR gives companies just 72 hours to report data breaches from first detection to all customers affected, as well as the authorities. This will include providing details of the number of records lost or stolen, and as well as disclosing how the breach occurred. Consequences of which could be very damaging to business reputations, and directors should consider an incident response plan to try and mitigate this. Aside from breaches, as EU residents have the right to request any information relating to them from organisations and/or the removal of the same (including from backup/archive files) free of charge and within one month, internal processes must be made as efficient and straight forward as possible to undertake.
3) All information stores in your business - In addition to key systems and storage devices, Backup facilities or any separate copies of files or databases which contain personal data will breach GDPR regulations if left unprotected. Given the massive amount of data retained in most businesses it is imperative that steps are taken to organise and ensure compliance at an early stage. In addition to workstations, any portable equipment such as laptops, USB devices or mobile phones which give access to personal data should be protected from loss or theft. Many companies will look to keep retention durations for data as short as practically possible in order to try and minimise risk.
4) How data is communicated - Data encryption goes hand-in-hand with GDPR, as encrypting documents such as email greatly reduces the potential impact of a data breach. (Without the encryption key any such lost data is effectively useless as it remains confidential to all but the key-holder.) Email remains the main form of communication for businesses so it is vital that both incoming and outgoing messages (& attachments) are protected. Remember, personal data is classified as any personal information including email addresses or phone numbers.
5) Agreements with clients - GDPR looks at how data is collected (Companies are required to obtain consent from the owners of this data at the time of its collection, for example), how it is used and stored, who has access, and how companies ensure this is communicated to clients. It is vital that Data retention policies are clearly explained to clients and written agreement should be obtained. For Companies in regulated industries, document retention and deletion times present additional complications due to conflicting regulators, and considerable care must be taken in bringing policy into agreements for all client relationships that is legally enforceable.
It is essential that Companies review the way they handle personal data now, as ignoring or understating the risks could lead to potentially unlimited fines and very bad publicity. There is still time to act and put appropriate systems in place.
If you would like to learn more about GDPR please contact James McKenna at email@example.com or 01624 626586.
Peregrine Corporate Services Limited is licensed by the Isle of Man Financial Services Authority.