Preparing for GDPR: steps you need to take now
Guy Bunker, Senior VP, Products, Clearswift
With less than two years to go, the EU General Data Protection Regulation (GDPR) will affect every public and private sector organisation transacting with businesses in the European Union. So far, much of the conversation has focused on the financial penalties that will result from non-compliance. However, instead of viewing the incoming GDPR as tyrannical bureaucracy, organisations should view the regulations as an opportunity to secure themselves against potential data breaches and improve their own operational resilience.
Whilst May 2018 might seem somewhat far-off, this is not to suggest that business leaders can relax; two years is a short period of time for IT projects of this size and the timeline itself needs to be brought into perspective. The vast majority of businesses operate within a financial calendar, meaning that most of this year’s budget may already be allocated. This effectively gives businesses a year less than they might have thought to implement the more costly area of complying with GDPR, such as upgrading IT infrastructure and hiring key staff. Senior management and Board members should therefore start thinking about the changes they need to make now, for when the regulations come into full effect; this level of change takes time, understanding, planning and resource.
To adhere to the new standards, organisations have to understand what needs to be applied or changed within systems and applications. However, the general consensus seems to be that most companies are unaware of what the regulations require, let alone how prepared (or in some cases unprepared) their company is. This isn’t the first set of industry standards that have come into play. Organisations have always had to meet certain requirements when it comes to data protection, but the reach and operational impact of the new legislation goes much further than anything seen before. This is why businesses need to begin adapting as soon as possible, and why many people’s understanding of the requirements may indeed fall short. Ignorance is not bliss, and serves as no defence in the eyes of the law. Whilst the aim of organisations should be to focus on compliance, should the rules be broken organisations stand to lose up to four per cent of their global revenue or €20 million whichever the greater. This in effect removes the cap that governments have been able to hand out. Using the context of a large international corporation, making millions or even billions each year the potential ramifications soon become obvious and potentially fatal for some organisations. So how do businesses get ready? The first steps:
Understanding the regulations
There has been a lot written on GDPR, and over the next two years there will be a lot more. In essence, if you do business in or with organisations in the EU then GDPR will apply. The focus is on protecting EU citizen information and responding to various requests EU citizens might make about how their data is being used in order to protect their privacy. Whilst this regulation is already in existence, the pressure is on to provide that data accurately and without delay. Furthermore, there can be a request to remove the information pertaining to themselves (aka ‘the right to be forgotten’), and while not all information may be allowed to be removed (due to competing regulations), just finding the relevant information, including that contained in unstructured documents will be a headache for most businesses.
What’s more the scope of the regulations extends beyond the organisation into the supply chain where you might have shared information with other 3rd party organisations. Implementing a process for tracking every single bit of GDPR relevant information should therefore be a high priority.
If a firm suffers a breach then there is a 72-hour notification policy requiring organisations to report to the appropriate Data Protection Authority. This will potentially require fundamental changes to the internal reporting structures of various departments; IT, HR, Finance, PR and marketing will all need to be incorporated into a coherent plan.
Understanding business needs
The first task will be to properly understand and document the critical information which falls into the categories covered by GDPR. There is a need to find out where it is held, how it moves across and outside the organisation and who has access. Without this basic knowledge, putting protection in place will be an expensive exercise which may not cover all the requirements. Conducting a data management and data privacy audit is a good place to start. Once an organisation has this information about itself, it can start building a data management policy specific for its individual needs.
This activity can start before the appointment of a DPO and many would say is part of good governance – however businesses and business processes move fast and you may be surprised as to how information is used and shared by your organisation today as compared to 12 to 18 months ago.
The second task will be to understand the potential new roles that will be needed for the business and making sure these are filled in the best way possible. Most importantly there are a number of circumstances which require an organisation to hire a Data Protection Officer (DPO); a senior level position that reports to the CIO or directly to the Board. These circumstances include, all public authorities, and where the core activities of the controller or the processor involve “regular and systematic monitoring of data subjects on a large scale” or where the entity conducts large-scale processing of “special categories of personal data”. Specifically outside of this, there are other options, such as the ability to ‘share’ a DPO. The introduction of a new role, specifically for data protection, is something many businesses probably haven’t considered before, and now that it is mandatory, will be looking at what steps are required to find the right type of person for the role. This shouldn’t be a rushed process; organisations should take the time to understand what is needed within the firm and the full extent of what the officer will need to do before beginning the hiring process. The role can be hired from within, which would make some things simpler as they will better understand the business as it currently stands. This person will be a critical part of the business and its ability to operate within the law; they need to understand the legislation and the business’s needs.
The next challenge to be addressed is the cost implications of upgrading or modifying systems and applications to ensure compliance. Many companies will be using security systems and data protection software that is out of date and that doesn’t sufficiently protect them to the extent that the GDPR stipulates. Software purchased even a few years ago may not be up to scratch as new security backdoors and vulnerabilities found each day and without them being replaced it leaves the organisation open to non-compliance and all the consequences that will bring. Threats are constantly evolving and so too are data protection tools.
If a company needs new security systems, it is important to find a provider that can meet regulatory standards while also offering a solution that is within budget. There is no point spending vast amounts of money on software that has a short shelf life and there are cost-effective providers out there which provide intelligent consultancy as well as products to ensure a company can meet GDPR requirements. The IT security infrastructure that an organisation is implementing or planning on implementing in the future needs to fully incorporate the requirements of GDPR and today this also needs to consider use of the cloud and social media. Two years for compliance is really a very short time frame.
Keep it simple, define the information that needs protection, look at the security in place and then prioritise investments in security solutions to mitigate the risk. Remember to start the program, prevarication will lead to running out of time. Start small and grow, don’t try to do everything all at once.
Training and education
Organisations need to ensure staff understand how GDPR will affect them and are aware of what they need to do to keep themselves and the organisation secure. Employees can really help management to understand what the ‘real’ processes are and how they can be improved to protect critical information.
Insider threats remain one of the biggest challenges business face when it comes to protecting data. Research from Clearswift found that 40% of firms expect a data breach in the next 12 months as a result of employee behaviour. With the threat of large fines looming, it is critical that everyone within the company knows how to keep sensitive data protected at all times. A clear set of current company policies and procedures coupled with training and keeping staff informed will prove highly effective in keeping the organisation safe.
The bottom line
Once 2018 is here and the law comes into effect, no amount of excuses will protect organisations if the rules are broken. Pre-planning and early implementation will serve you well when the regulations come in.
Understanding what your organisation needs, implementing cost effective, secure solutions and making sure staff understand what is expected of them are critical in meeting the demands of the new laws. However this will also stand the organisation in good stead for the future. Regulations are constantly changing, but they share a common aim, to keep information secure. Make sure you are ready to meet regulatory standards and you will continue to operate efficiently and securely in the new data-protected landscape.
Forewarned is forearmed.