5 things you should be considering when it comes to GDPR
As of May next year, businesses in the UK must be compliant with updated laws surrounding data security in the form of the EU’s General Data Protection Regulation (GDPR).
By May 25th 2018, businesses and organisations across the UK must be compliant with the European Union’s (EU) General Data Protection Regulation (GDPR). There’s no shying away from this legislation - businesses must either prepare for it or face damaging fines.
Most significantly, the GDPR will impact the way marketing communications are sent to customers and how they look after any personal data they receive. Should companies fail to adhere to this, they will be fined up to 20 million euros (£17 million) or four per cent of the global annual revenue - whichever is the greater amount.
Here we take a look at five things your business should be considering ahead of the GDPR deadline next year.
1. Data breach protocol
As hackers advance, it becomes increasingly more likely for companies to suffer a data breach. This makes it all the more important for business to have a data breach protocol in place, which will prevent this from happening and support the GDPR compliance.
This sort of protocol isn’t a type that just fixes the breach once it occurs. Instead it should help to plan for a breach while describing the nature and likely consequences of one, along with the proposed measures of mitigating its possible effects. This way, organisations will be able to identify the data that was taken, and where the breach occurred.
Instead of waiting for the GDPR to directly impact their company (this could very well be in the form of heavy fines if they fail to comply), employers should adopt a proactive stance by reassessing their current business strategy.
3. Personal data
Companies must consider what personal data they are storing, as the GDPR will cover this. As of May, personal data will include names, addresses, telephone numbers, account numbers, email addresses and IP addresses. According to Corporate Compliance Insights, Personally identifiable information (PII) data can be client data or employee data and can be stored in disparate repositories.
To ensure that their business is compliant with the regulation, employers will need to gain a good understanding of what data they hold, why they have it, what they intend to do with it and how they are keeping it and how they discard it.
4. PII data
Companies must establish and clarify the whereabouts of each type of data - including PII data - and the parameters for handling it. No matter where the data is stored, it should only be where corporate policy dictates.
Relevant training must be provided to employees that are aware of, or whose job responsibilities involve working with PII, so that they understand that they cannot share it indiscriminately.
5. Policy components
They should also highlight an individual's right to opt out of sharing their PII for internal use or use by third-party companies. The firm’s stance on data security should also be included here.