According to Kroll Ontrack & Blancco, 4 in 5 IT managers are unaware of the upcoming changes to Data Protection regulations, The EU General Data Protection Regulation (GDPR). This certainly means they can’t be preparing for it either… and unlike the Data Protection Act 1998 which it will supersede the penalties can be huge – 5% of global turnover or €100,000,000 (whichever is greater!).
What is GDPR?
The GDPR will be a common set of data protection rules across the European Union. Technically it will be an EU Directive which will be implemented in law in all member states – the purpose being to harmonise data protection across the EU and (potentially) centralise policing for international companies.
At the moment it is still in draft form, but expectation is that although some changes have been made over its course through the European Parliament, it will be adopted in late 2014 or early 2015 and come into force in 2017 – allowing at least 2 years for companies to transition.
There are 5 main differences to the Data Protection Act in the UK
- Three New Rights For Data Subjects: The Right To Be Forgotten, The Right To Data Portability, and The Right To Data Erasure.
- Mandatory Breach Notification. It becomes mandatory to report data breaches to the regulator within 72 hours, and data subjects must be notified if harm will occur.
- Explicit Consent. You must obtain explicit consent to hold the data from the data subject – opting in will become the norm.
- Penalties. As mentioned, the penalties rise significantly for negligent data breaches – rising to 5% of global turnover €100m for more serious breaches.
- The Data Protection Officer. Public sector bodies and organisations processing over 5000 subjects data in 12 months must appoint a Data Protection Officer whose responsibility it will be to conduct risk assessments, analysis and to safeguard the data.
Don’t Panic – We’ve Got 2 Years!
Don’t Wait Either.
With such huge changes proposed there are the usual elements of the IT industry who either professing impending doom or who are suggesting that it won’t happen. Neither seem likely to me – GDPR will happen in some form, likely to be close to the current drafts; and there is no impending doom.
There is at least two years until you have to be compliant, so there is plenty of time to start to integrate the new principles now so the change can be almost seamless by the time it becomes mandatory. Data Security is becoming a large differentiating factor for consumers, so make sure you’re ahead of the game – I’ve got 5 simple steps you can start with now to make sure you’re ready come 2017:
5 Simple Steps to GDPR Compliance.
1. Understand Where You Are.
Before you can start to think about how you’ll comply with GDPR you need to know what data you have now, where it is and how it is protected. Undertake an audit of what you hold today, and what you’re likely to take on in the next few years. Once you have this, assess how relevant it is – do you need to keep it? Does it have value? Of course you should be destroying data when it becomes unneeded under the DPA’s Principle 5… but check and delete. If you don’t have it, you can’t lose it!
2. Obtain Consent & Engage.
Now you know whose data you’ve got, remember that you’ll need to have their consent to hold it in a post-GDPR world. You can use the next two years to obtain that consent when customers and data subjects contact you naturally. Develop the processes for obtaining consent now – a simple ‘Do you mind if we hold your details?’ in a contact centre conversation will suffice. Don’t try and obtain in surreptitiously, in small print or otherwise, people won’t take kindly and it’s not in the spirit of the regulations: would you want your data held like this?
If you start asking now, by 2017 a huge proportion of the relevant data you hold (remember to destroy ageing data!) will be opted in and you won’t be one of the organisations embarrassingly seeking retrospective consent.
3. Update Your Policies.
Update your Breach Policy & Detection. With stiff penalties for failing to report breaches in a much shorter time scale than you might be used to working, it’s important that your process internally means that any breach, no matter how small, gets to your Data Protection Officer (or equivalent for smaller companies) promptly and you have a plan on how to react. Ensure that everyone in the business knows the importance of reporting data loss promptly – include it in your recurrent data protection training from now onwards.
4. Identify Responsible Person.
If you’re a public body, or process data on more than 5,000 subjects then you’ll need someone to fulfil the mandatory role of ‘Data Protection Officer,’ but even if you’re smaller you’ll want to identify one person in your organisation who can ensure you’re compliant. Someone with experience of data protection principles and a good view of the company will be ideally place. Resist the temptation to appoint someone from Finance or Legal teams unless they’ve genuinely got a good understanding of the data identified in point 1.
Use the time between now and implementation to make sure that they have conducted relevant Data Risk Assessments and mitigated risk wherever possible.
Then, importantly, empower this person – get senior management or the board involved to ensure that everyone knows about the changes and the importance of them (there’s €100m at stake here!).
5. ‘Change-In’ The GDPR now.
Come 2017, most companies won’t be operating exactly the same systems, in the same state, as they are today. This means the natural business changes which keep driving them forward can be used to ensure you’re designing in GDPR principles from today onwards. Simple ideas and some best practice:
- Select a data protection framework now (COBIT, NIST or ISO) and judge all new changes against it.
- Build in monitoring and reporting tools which report loss.
- Obfuscate and encrypt data wherever possible, especially on test systems.
- Adopt ‘Opt In,’ ‘Data Portability’ and ‘Data Erasure’ functions in new software, now.
- Audit your systems – consider getting external auditors to both probe your defences and your processes.
A series of small changes over the next two-to-three years will mean you’re ready for GDPR when it becomes law.
If you’re in doubt at any point, ask yourself:
Would I want my data held and processed like this? Does this seem fair?