30 August 2017
By now, you’re probably well aware that the new EU General Data Protection Regulation (GDPR) is coming. Chances are you’ve been inundated with articles saying you should be prepared for it, or else face the consequences.
However, according to one survey, a third of public sector decision makers are not yet confident that they’ll be fully prepared for GDPR by the time it kicks in. If that sounds familiar – don’t fear. Here’s a quick and practical run-through of the steps you can take today to protect yourself tomorrow…
What is it?
If you’ve been hiding under a rock, here’s the low-down. The new regulation is set to replace the Data Protection Act, and becomes effective on 25th May 2018. Under the new guidelines, the responsibility for reporting breaches and protecting the data of EU-based individuals against a breach will fall solely on the shoulders of organisations. Failure to do so could result in fines of up to €20 million.
While the UK is set to leave the EU, there’s still an overlap between the date of withdrawal and when GDPR kicks in. In fact, the government has recently outlined new data protection proposals that basically transfers the EU GDPR into UK law. There’s simply no avoiding it.
How does it affect you?
The public sector supports a wide range of citizens with a wide spectrum of needs. And with budgets being stretched all the time, this means that the prospect of fines is simply not acceptable. Public sector IT directors should be treating this new directive as a chance to step up processes for effective data protection and find efficiencies wherever possible.
What should you consider?
Ask yourself: what kind of personal data does your organisation hold? Where is this data held? What is it being used for? How secure is it? You need to be aware of where and how all personally identifiable information (PII) is stored because this is the crux of the new regulation. It’s supposed to be kept safe and secure, and for the right reasons, or else fines will ensue.
Once you’re aware of your data status, you should be developing processes that can handle subject data requests. This may require you to update privacy notices too. And don’t forget about any suppliers who also have access to your citizen’s data – they will need to be GDPR compliant too or you’ll be held accountable.
All public sector organisations handling personal data will need to appoint a Data Protection Officer (DPO). The DPO will make sure your organisation is aware of its obligations. Which means you need to budget accordingly if your DPO is to be settled and ready come May 2018.
It’s also important to ensure that all your infrastructure is GDPR ready. This includes any system that houses or transfers data, including your telecoms, and covers more than just names and addresses – payment card information is included, too. With mobile data traffic set to increase over the coming years, IT directors will need to ensure their networks can withstand attempted hacks. Being compliant, in this case, represents a huge opportunity in ensuring best-in-class security.
And finally, it’s also important to educate all employees who handle personal data about the new regulations. This is because GDPR is not just an IT issue – it applies to every area of the organisation. This means IT directors should be working with HR leaders to drive the cultural shift that will help build data best practice.
Time is running out. Especially for the public sector, which tends to be burdened with more red tape than commercial businesses. So, just as other unassuming events can creep up on you, so too can GDPR. Get prepared, and do it quickly. This way you can rest easy come May 2018.
Read the Gamma guide to the new legislation and what this means for your organisation here.
You may also be interested in:
30 August 2017 | Sam Winterbottom
The views in this article are the personal views of the author and are not necessarily endorsed by Gamma.