The next two years are set to bring about remarkable change. The UK’s future within European borders, the introduction of the universal flu vaccine as well as the substantial increase of data flow into organisations. These are undoubtedly key milestones which are set to affect not only the UK but also the rest of the world.
In 2018 we will see the deadline hit for meeting new regulations around the treatment of personally identifiable information (PII). Along with expected volumes in data growth, this could potentially have significant implications for any business which processes personal data.
The European Parliament passed the final vote on its new General Data Protection Regulation (GDPR) in July this year, aiming to protect personal information in an ever increasing digital world. Although the new laws won’t be enforced for another two years, this is a relatively short time frame considering that businesses will need to assess the new requirements, evaluate existing measures and plan a path in order to reach full compliance.
To help businesses understand the impact of the GDPR on their information management processes and where it fits within the wider regulatory landscape, here are six key steps to ensuring records are GDPR-ready.
Defining GDPR
Aiming to protect digital personal information, the GDPR is by far the largest shake-up of data protection rules so far this century. It includes more than 50 Articles that have far-reaching implications for organisations and their use and storage of personal data. In essence, the legislation protects the right of a European citizen to determine whether, when, how and to whom his or her personal information is revealed and how it can be used.
The Information Commissioners Office advises businesses to start planning their approach to GDPR compliance as early as they can. However, many businesses across Europe remain unaware of how the changes will affect them and the impact they will have.
There are a number of important steps you can take now to help your organisation identify where your PII is stored and understand your obligations towards managing it. Considering the prospect of multi-million Euro fines for non-compliance, can you afford to wait?
Step 1 – Do I have personal data?
In order to decide which parts of the new legislation will apply to your organisation, you must understand what is meant by personal data. The definition of ‘personal data’ in the context of the new regulation is data relating to a ‘data subject’ (a person) who can be directly or indirectly identified on the basis of that data. Such data also includes device identifiers, cookies or IP addresses. This means that, under the GDPR, data controllers within organisations need to be aware of all personal data under their control and able to demonstrate that they understand the potential risks to information, as well as how to mitigate those risks.
Step 2 – Does GDPR affect me?
Next, it is vital to have an understanding of the key terminology included in the GDPR in order to know whether it is relevant to your organisation. Key terms to understand include ‘personal data’, ‘territorial scope’, ‘data subject access requests’, ‘data protection impact assessment (DPIA)’, ‘the right to erasure’, ‘data portability’ and ‘consent’. For further information on these, go to our knowledge centre, or find the glossary of terms on eugdpr.org.
Step 3 – Where is data stored within my organisation?
In order to meet your statutory obligations, you first need to know where personal data is kept. To gain a full picture of your storage, it is advisable to analyse the data stored on corporate systems, employees’ personal devices, offsite archives and filing cabinets, as well as information stored by suppliers, subcontractors and business partners (people who process personal data on your behalf).
Step 4 – Develop a data map and categorise every piece of information
Following this analysis, we recommend creating a data map which provides a 360 degree view of all physical and digital information, including personal data, stored across an organisation. The data map is an important tool to ensure that you can easily locate, assess and monitor all information on a continual basis.
Step 5 – Review and update existing policies
Once you know the location of your information, you need to know what you can do with it and how long you are permitted to keep it. This requires you to ensure that your retention policies are up to date, in accordance with legal, regulatory or contractual obligations so that you are only keeping what you should and that you’re destroying personal data (and all other records) when required in a secure way.
Step 6 – Remain attentive and responsive
Finally, it is key that the business as a whole is aware of its obligations. Information passes through the hands of employees, contractors and suppliers, therefore all parties must understand and comply with the same retention policies. Just like regulations changing and imposing new obligations on organisations over time, your retention policies should remain dynamic and responsive, adaptable to evolving business and regulatory landscapes.
Organisations across Europe have long been familiar with the need to store personal data according to the latest regulatory requirements. The introduction of the GDPR, however, and associated penalties for non-compliance means that it has now become critical to perform data retention correctly. Failure to do so could result in fines of up to four percent of annual world group turnover or EUR 20 million.
Following these six steps is a helpful starting point in keeping regulators at bay. Failure to act now could cost your organisation dearly in the long run, so it’s critical to avoid rushing to catch up.