It is just one week until the EU update to General Data Protection Regulation (GDPR) compliance deadline of 25 May. The build-up to this date has already seen vendors offering a barrage of products and services, putting pressure on companies to throw large sums of cash at their GDPR efforts.
But this is not necessary. Free resources such as the ICO’s GDPR checklist are available to help firms of all sizes prepare for the update. It is also important to note that fines of up to 4% of turnover for organizations that suffer a breach of personal data will not be applied if firms can prove they have taken the correct steps to comply.
As the deadline approaches, five key checks will help to ensure GDPR compliance:
Remember employees are covered by GDPR. Therefore, firms should issue staff with a ‘Data Privacy Notice’ advising them that their personal data will be processed by the company under ‘legitimate interest’, according to Ardi Kolah, executive fellow and director, GDPR programme at Henley Business School and author of the GDPR Handbook.
“Explain in ordinary language which personal data will be processed, the purposes and duration for doing so, what rights they have and who they should contact if they have concerns. You should also outline what happens if they leave the organization and who else this personal data will be shared with.”
Crucially, Kolah says firms won’t be able to rely on consent as a lawful basis for processing employees’ personal data because “it will not be deemed to have been freely given”.
“Continuing to process personal data without lawful grounds is a serious breach of the GDPR,” he warns.
Ensure adequate breach response. As the deadline approaches, businesses’ breach response process must be watertight. “Dry run scenarios with your security team and make sure everyone knows what is expected of them,” advises Cath Goulding, head of information security at Nominet. “In addition, ensure you will be able to alert the relevant authorities within 72 hours. As everyone knows, humans can be a weakness in such situations – so a final reinforcement of responsibilities is important.”
GDPR awareness and training are essential. GDPR will be a familiar term to certain departments within the business, but everyone needs to know what the regulation means for them. “For companies operating security and data compliance teams across borders, it is also worth ensuring international teams are reminded of their responsibilities under GDPR now and on the day it goes live,” Goulding says. “It may not be as high-profile for teams in countries outside the EU, so this will be important especially in the early days.”
At the same time, firms must make sure they have introduced – or updated – information security and data protection policies and rolled them out, says Helen Goldberg, COO at LegalEdge. “Policies should explain what personal data is and why it’s important to keep it secure and protected. Everyone should be clear on what they can and cannot do with that data and must understand the consequences of non-compliance.”
In addition, Mark Thompson, global privacy lead at KPMG outlines the importance of raising awareness at board level. “The board needs to understand the implications of the GDPR and the need to make enhancements.”
Make sure the data protection officer doesn’t have any conflicts of interest. As most firms know, there is a requirement to employ a data protection officer (DPO) in certain circumstances. However, as a final check, companies should confirm their DPO doesn’t have other responsibilities that may result in a conflict of interest.
An example is someone who is both the IT manager and the DPO, says Rogelio Aguilar, a management consultant in cyber resilience, security and privacy at Sungard Availability Services. “The DPO ought to be an expert in data protection who operates independently.”
“It’s worth noting that the Bavarian data protection authority has already fined companies for a DPO’s lack of independence,” he adds.
“Make sure you’re clear on the legal basis for all processing, can deliver on data subjects’ rights and have a clear policy so your staff understand what happens if there is a data breach.”