As we approach the magical 12 months until the deadline (25/05/2018) for complying with GDPR there are still a lot of people who know very little about what is required of them and their business. This article hopes to spread the knowledge as well as what’s required of them before its too late.
One of the main areas of concern I’ve noticed when speaking to people about the upcoming migration to GDPR, is that they think they have nothing to worry about and that GDPR will not apply to them. Unfortunately, this statement is incorrect, GDPR will apply to all businesses who process personally identifiable information about any person who is a UK / EU citizen. This means that every business will be in scope of the regulation, and will extend to businesses outside of the European Union.
Owning a business with the looming regulation changes means, that you can’t simply say that your business is compliant, changes need to be implemented and it won’t be as straight forward as you think it will be. Businesses will need to verify that their websites, suppliers, mailing lists, data and internal systems are all up to scratch.
Once GDPR has come into act, businesses will need to demonstrate that they are in fact compliant, that they can demonstrate that they practice the policies and procedures and not just write them and stick them in a file.
Businesses will need to make sure that their client data is located within the correct countries, and any data that is outside of the UK/EU or US have the right accreditations to ensure they comply with GDPR. If not there may be a lot of work to ensure the data is in the correct place.
Not only this, but if you outsource your data to a third party for the sake of CRM, marketing or anything, does your third-party supplier store and manage your data accordingly?
A bit part of the GDPR is making sure that people have a choice of what data companies have access to. As part of this, businesses need to make sure that everyone on their mailing lists and databases have had the chance to “opt-in” and consent that their data can be used. This doesn’t just relate to mailing lists, you also need to ensure that people are informed about what their information is going to be used for, where its going to be stored, and have the chance, if needed to request that their information is moved somewhere else.
Policies are one of the controlling factors that which the regulators can find out how a business is monitoring and protecting the information that they are using. The GDPR, specifically article 39 states that: “Tasks of the data protection officer: “(1b) To monitor compliance with this regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits.”
The problem here is, that although the GDPR states that you need to put controls in place to protect personal data, it doesn’t specifically tell you what you need to have. As a minimum, all businesses should look to have at least the following policies:
- Information security policy
- Information classification and handling
- Physical security controls
- Development and privacy by design
- Acceptable use policies
- Clear desk and clear screen
- Information transfer
- BYOD / mobile devices
- Data processing agreements
- Data breach notification
- Data retention
- Information asset register
What can I do?
One way of ensuring that your business is doing the minimum to become GDPR ready, is to undertake the Cyber Essentials with IASME governance certification. This certification will allow your business to self-assess against several questions that cover a wide range of cyber security and GDPR related questions.
If your business can pass this, then you will be in a good position to be on the road to compliance. You can find more about this on our website at: https://terabyteit.co.uk/services/compliance-and-advisory/cyber-essentials/
However, it doesn’t stop here, GDPR compliance will be an evolving process for every business, as more information is shared, stored, processed, more policies and procedures will need to be updated and created on a regular basis.
If you haven’t already, you need to start looking into becoming GDPR compliant now and not waiting until next year, by then, it will be too late.
If your new to GDPR and want to find out more information about how this new regulation will affect your business, you can find a lot of resource from the ICO, at: https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/. If you would like to have someone come and take an overview of your business and practices, and see how you fair against what is required, TeraByte can be of assistance.
TeraByte have several articles which explain various aspects of GDPR, the data protection act and how to stay safe, you can find these on our blog at: https://terabyteit.co.uk/blog/
You can contact us by the following methods: