27 February 2018
The clock is ticking on EU GDPR regulations, due to be enforced on 25th May 2018 and replacing the Data Protection Act of 1998. With the threat of big fines looming over non-compliant organisations, all businesses, including SMEs, must make sure they’re ready in time for the changes. Your GDPR plan-of-action should be well underway by now, but nonetheless, here’s our checklist to help you get prepared for compliance in the next few months:
Part of the new GDPR regulations involves tighter record keeping when it comes to data. You’ll need to keep a record on what data you have, where it’s stored and how it’s being used. If you do this already – great. But be sure to keep on top of it ahead of the changing regulations. If you don’t, now’s the time to get moving and put a plan in place. And a word of warning: depending on the amount of data or number of customers you have, this could be a lengthy admin process, especially for smaller teams. Regtech tools can help ease the burden and help with compliance.
The buck won’t just stop with your business when it comes to GDPR violation. It’s the responsibility of every business within a supply chain to ensure total compliance with the new regulations. While GDPR accreditation doesn’t exist as yet, try to seek out reliable, trustworthy suppliers who are clearly making efforts to put GDPR codes of conduct in place. That way you’ll have peace of mind that you’re compliant from all angles.
Under the new regulations, businesses are required to appoint a Data Protection Officer (DPO) in the following circumstances:
And even if those stipulations don’t apply to you, you’d do well to appoint a DPO anyway, or at least ensure you have sufficient staff carrying out your GDPR obligations and constantly ensuring you are compliant. This could be an existing member of staff, so long as there’s no conflict of interest with their current role. Or, the role could be outsourced to an external provider. On top of that, it’s essential that you ensure all employees who handle personal data are fully educated about the rules of compliance.
The new GDPR puts data control in the hands of the individual. Not only will they now need to opt-in to have their data collected, but the onus is also on businesses to inform them what their data will be used for. Individuals will also maintain the ‘right to erasure’, meaning businesses will need a system in place that allows personal data to efficiently be removed at the request of the individual. All businesses must ensure they have such a system in place – SMEs might want to work with a GDPR-compliant supplier to facilitate this.
Once GDPR is enforced, businesses will have just 72 hours to notify the relevant data protection authority after a data breach occurs, as stipulated by the now-notorious Article 33 of the GDPR. 72 hours is a pretty challenging timeframe, especially amid the chaos that can ensue after a breach. So, now’s the time to make sure your security systems are up to the task. It’s also worth reviewing the way in which you notify customers after an attack. If anything, this is a good excuse to update and iron-out the processes surrounding security breaches in your organisation, which may even help you to prevent future breaches at the same (and this can only be a bonus).
Still unsure about what GDPR will mean for your business? Check out our handy guide to the legislation, with practical examples of how it could apply to you.
You may also be interested in:
27 February 2018 | Jamie Ward
The views in this article are the personal views of the author and are not necessarily endorsed by Gamma.