GDPR: How should your company ensure it has the right skills and capabilities for the future?
In less than a year's time, one of the biggest regulation changes to data protection will occur, so how can your business ensure it has the right skills and capabilities for the future?
On May 25th 2018, the General Data Protection Regulation (GDPR) will become law to any business that operates within the European Union (EU) regardless of Brexit. This will mean that companies will have to rethink the way they handle data on a company-wide scale.
The GDPR has been designed to protect the way citizens’ data is handled and ensure that organisations are including ‘privacy by design’ in their security strategies, so they are held more accountable to their customers.
Currently, businesses in the UK and EU that gather information on individuals do not have to reveal if they have been hacked, but as of next May, this will all change and companies that fail to adhere to this could face huge fines. Moving forward, how can you ensure that your company has the right skills for the future? Here we take a look a factors you need to be aware of.
Rights of the individuals
The GDPR will allow citizens to request their data to be forgotten and restrict the amount of information a company holds on them. This is why businesses must ensure they have enough resource to go over the rights of the individuals they have data on and check their procedures. This must include how you would delete personal data electronically and in a commonly used format.
While the decision makers and key professionals within your organisation may have heard of the upcoming GDPR, they may not fully understand it or be aware of its complications. To ensure a smooth transition and to avoid any fines that harm your business, it is crucial that they are brought up to speed on the impact this will have.
Once they are aware, the correct training can be provided to the rest of the company to make sure they are compliant.
A capability that your business must confirm is whether or not it has a lawful basis for processing personal data. Companies must identify the lawful basis for their processing activity in the GDPR, document it and then update their privacy notice to explain it.
Appoint a DPO
Depending on the amount of data you process, you may need to hire a data protection officer (DPO) to take responsibility for data protection compliance and assess the impact this will have on the business's structure. Even if you’re a small business, if you handle a high volume of data, it is likely you’ll require a DPO.