You might have already seen our first blog on the upcoming General Data Protection Regulation (though if you haven’t now’s the perfect time to take a look). From the first part, it should now be crystal clear that organisations are legally going to have to do a whole lot more than perhaps they’re used to doing. Let’s pick up where we left off, and then, most importantly, we can take a look at what the next steps are for organisations.
One thing that data handlers dread more than anything else is a data breach, and with the GDPR there are going to be firm laws controlling how they’re managed. First of all, data breaches will have to be reported within 72 hours of becoming aware of the breach. When the breach carries a high chance of affecting the people concerned within the data, they must also be alerted (though no time limit has been set for this aspect yet). What this means in practise is that every single organisation that deals with personal data should have a thorough and clear data-breach action plan. There are more and more data breaches every year, and they’re only going to rise.
While a lot of the new developments from the GDPR are daunting, there are resources available to help organisations, and one in particular is compulsory: Data Protection Impact Assessments (DPIAs). These should be used when data processing could result in a ‘high risk for people’s rights and freedoms’ — in short, consult your data protection officer or a legal consultant. If, after an organisation has carried out a DPIA, there are clear issues and risks associated with the data processing, then a data protection regulator must be consulted. It might sound excessive, but this is going to be the law and it’s there to protect personal data as well as the organisations that are dealing with it.
Now that we’ve got through all of the scary legal stuff, there is some good news. On top of creating a data breach action plan, there are measures you can take well before the GDPR even comes into force. One of the first things you should do is review the current systems in place and update them so that they’re ready for regulatory inspection.
Another organisational action (if it’s not already being done) would be to develop a data destruction plan, so that there is a clear procedure to follow to destroy data that’s no longer needed. There’s no excuse for keeping data that isn’t relevant any more.
There’s also much to be gained from setting up a data breach notification procedure with detection and response capabilities — treat this as seriously as you would a fire drill, and rehearse it routinely. In relation to this, setting up regular audits can only be a good thing, and it’ll make sure you’re proactively dealing with issues. If this all sounds like a handful, that’s because it is. Therefore one of the best things an organisation can do is appoint a Data Protection Officer. Ultimately though, adhering to the GDPR is the whole of the organisation’s responsibility. That’s why training for everyone who even remotely deals with personal data is absolutely paramount. Use this opportunity to make sure everyone knows the benefits of processing data in a compliant way, and the risks of not adhering to the law.
Well, you’ve made it to the end of our GDPR double-bill, and hopefully you’ve taken something away from the journey. Keep in mind that there’s only about 4 months left until the GDPR becomes the law, so now is a fantastic time to prepare both yourself and your customers for the upcoming changes. And your customers will definitely thank you for it.