No matter what sector your business operates in, it's inevitable that your management team would have been giving a lot of thought to the new European General Data Protection Regulation (GDPR) over the last few months.
Set to come into effect on May 25th 2018, the new law represents the biggest regulatory change in data protection standards in decades, and will introduce stringent new standards on obtaining informed consent when storing and handling sensitive information. It will apply to every company involved in processing data pertaining to EU citizens, with those that fall foul of the law facing significant financial penalties and reputational damage.
With less than one month to go before the enforcement deadline, most companies will have completed the bulk of their GDPR preparations, but when it comes to a legal change of this magnitude, there's no such thing as being over-prepared. That's why it's worth running through a few last-minute checks and changes to make sure your organisation is fully GDPR-compliant ahead of May 25th.
At its most basic level, GDPR is designed to give people more control over their personal data by ensuring it is only ever collected, stored and utilised with their specific consent, which can be withdrawn at any time. Businesses have been responding to this by auditing their databases and reconfirming with existing contacts that they are still willing to provide permission for this information to be used.
Naturally, every organisation will realise that this refers to information about customers' names, photos, addresses and contact details, but it's important to make sure you've considered all possible forms of identification that may fall under GDPR's purview. This includes IP addresses, location data, cookie information and analytics findings; even more importantly, data pertaining to people's race, religion, political views, union memberships, sexual orientation and health status require special protections, as do their biometric and genetic data.
If your GDPR preparations haven't taken any of these into account, now is the time to put this right.
At this stage, you may feel you've been thorough about assessing all of your organisation's potential vulnerabilities, but it's vital to make sure you've also done your due diligence when it comes to any partners and third-party vendors that you work with on data-related tasks.
You may not be able to audit and affect an external company's policies in the same way as you can do internally, but it's still your responsibility to make sure their data policies are compliant and align with your own, and that you have shared contingency plans in place in the event of a breach affecting both organisations. Failure to do so could result in your company being seen as responsible for a data protection failure somewhere along your supply chain.
Preparing for GDPR involves considerable amounts of upfront administrative tasks, but also opens up the possibility of additional paperwork even after May 25th. This is because owners of the personal data that your company is handling will be given the right to request copies of that data or have it deleted for any reason, and it will be your responsibility to make sure this happens transparently and within a reasonable timeframe.
As such, it's important to take the opportunity to ensure this data is organised in a way that's intuitive, centralised and easily accessible, so that any requests of this kind can be handled as efficiently as possible - particularly given the possibility of harsh penalties for any business that fails to meet the required standard.
GDPR will create a whole new set of vital responsibilities when it comes to data handling, so it's vital that everyone within your organisation knows exactly who is ultimately accountable. Business managers will be the ones who are primarily responsible for defining the use of data as part of the organisation's activities, but they themselves should also be held accountable for their competence in doing so, especially if they aren't necessarily tech experts.
This is why GDPR mandates that all companies above a certain size appoint a data protection officer (DPO) to coordinate data usage practices, ensure compliance and coordinate all the necessary training and reporting activities. This function is likely to become a central one for many companies post-GDPR, so it's worth considering training or hiring a DPO, even if your company is small enough not to require one by law.
When planning for GDPR, the majority of the focus is likely to be placed on auditing databases, updating data usage policies and making sure the company's digital management strategy is fit for purpose. This is only natural, but it's important that the issue of physical security doesn't get forgotten about.
After all, even the most thorough data protection strategy can be easily undermined if servers containing sensitive personal data are housed in an unreliable or insecure facility, or if carefully curated information goes astray because a laptop or USB drive was left lying around. Making sure this oft-forgotten aspect of data security is given the proper attention will be crucial in creating a genuinely watertight post-GDPR data usage policy.