When it comes into force in the UK on May 25 2018, the General Data Protection Regulation (GDPR) will affect all organisations.
An evolution of existing data protection legislation, GDPR will introduce some significant changes to the current regime, with non-compliance leading to potential fines of up to €20 million.
It means reviewing activities, policies and procedures and taking action right across an organisation.
Chris Hunter is a director of Preston based HM Network, independent business connectivity, GDPR & cyber security specialists.
Chris explained that his business has been actively preparing for GDPR for the past year. He said: “Like a lot of businesses we have spoken to since, we’re a small business and didn’t initially think it would affect us that much.
“When we actually sat down to look at it in detail we were gobsmacked with what we found. We pretty much stopped everything we were doing for about a month to take stock of what it entailed. “The majority of our clients are B2B but we are in a supply chain with consumer businesses, for instance Wi-Fi provision in retail and leisure venues.
“As a result, we are actually collecting and processing data, which puts us right in the GDPR’s crosshairs. Following legal advice we have since had a lot of our supplier and partner contracts re-written with GDPR in mind.
“Many businesses just don’t realise where they stand and are burying their heads in the sand. A lot of businesses who outsource data processing activities are unaware that they risk a serious breach using third parties and especially if they are sending data outside of the EU.”
Anthony Terry is director of IT at Napthens. He points out that the regulations should be welcomed and will give many businesses the opportunity to work with their IT systems and properly assess the data they hold.
For many, of course, this could mean investment into their systems.
He explained: “For firms that haven’t necessarily continually invested within their IT platform, now is the time to understand what data you have, where and how long you store your data and importantly, what security wrap you put around your data.
“Businesses should carefully evaluate a number of their strategies, particularly around data security, backup, retention and security. We see evolving security threats on a daily basis, and it is important that firms are providing high levels of security around their email platforms in particular, and driving an awareness programme to educate staff.
“Every firm should be taking GDPR very seriously and be well on the way now in terms of delivering any new policies and systems that may be required to ensure compliance.”
But GDPR does not simply affect the way a business stores its customer information. Businesses will benefit from adopting a holistic approach to GDPR compliance across their entire organisation, factoring in IT systems, cyber security, marketing as well as HR and employment law issues.
Kimberley Barrett-St.Vall, Employment & HR partner and a member of Napthens’ GDPR team, explained the responsibility of an organisation’s commitment to compliance should not sit with any one department.
She welcomed the regulations as an effort to catch up with the way the world of work has changed, with many businesses reliant on IT, and a real boom in remote and flexible working.
Kimberley said: “GDPR will have a major impact on employment and HR, from recruitment to processing employee data, to policies and procedures and training.
“When it comes to recruitment, a business will be under an obligation under the GDPR to provide greater detail to candidates setting out information such as the category of data being processed and the legal basis of this processing, and if the data is to be transferred outside the EEA, the European Economic Area.
“From May 2018 there will be no fee to pay if employees make a data subject access request, and these requests must be dealt with in 30 days – down from the current 40 days. There is likely to be an increase in requests, and it is important to understand how to handle them efficiently.
“Organisations would be well advised to review their employee handbook and it will be vital for staff to understand the relevant policies and their internal obligations in the event they commit a breach.”
If businesses are only just beginning to look at the complexities of GDPR, are they too late? Just what can be done in the few short months we have left?
Jeremy Coates is CEO at Magma Digital, a software consultancy company based in Buckshaw near Chorley. He recognises that most businesses are ‘not quite there yet’ when it comes to GDPR and should be taking some important steps to prepare.
He said: “They key for me is that you’ve got to make sure it’s a board-level agenda item, and that someone is appointed within the organisation to follow the decisions through. There’s the temptation, that should be resisted, to simply add it to someone’s day job where it could get squeezed out. “Don’t underestimate the work which needs to be done.”
Phil Brown, Corporate solicitor and GDPR expert at Napthens, pointed out that many businesses may be further down the line to compliance than they think.
He explained: “If a business is currently taking data protection seriously, then they are probably a good way towards being compliant.
“The majority of the work needed before May 2018 is simply documenting that compliance and ensuring that staff members are suitably trained as to their responsibilities – and training records kept.”
Phil points out, there are common pitfalls which businesses face when approaching GDPR: “People seem to think that if they buy a product, or use a certain template document then they will be compliant.
“People tend to fall into two camps: either they are absolutely terrified of GDPR and are panicking unnecessarily because they are already in reasonable shape; or they have ignored GDPR and still seem to think that it won’t apply to them or won’t be enforced.”
Jeremy Coates of Magma points to four key categories of activity that businesses should undertake:
“First, map out what your data is, where it is, and what type it is. Don’t just assume it’s your electronic records, GDPR covers paper records in a filing system too, plus CCTV etc. Look at everything you’ve got from email to HR to business-specific systems and third party systems too.
“Then look at who has access to that data within your organisation. Smaller businesses often use external IT teams, for instance.
The danger is that if, under GDPR, someone uses their right to rectification to have their data corrected, you have the responsibility to do so in a timely manner – including where data is held by third parties.
“Thirdly, put controls in place to protect the company and individuals. What do you do to prevent breaches and what happens if a breach occurs?
Businesses with good systems in place carrying out regular checks and responding in a timely manner can expect to see lower penalties.
“Finally, record everything. The documentation is something that you need to be rehearsing and practicing now. The guidance on this area of the regulations is particularly unclear, so it’s important to make this a priority.”
Daunting though the changes are, there is plenty of support available. Napthens, HM Network and Magma Digital have all held seminars on the topic and continue to do so.
Chris Hunter of HM Network said: “No one is bulletproof, there is always going to be a risk somewhere, but you need to know where your risks are in order to reduce the likelihood of becoming a serious incident.
“Implement policies and procedures so that you know what to do and when. Educating staff is vital and being able to evidence it is essential. No one department owns the responsibilities that come with GDPR, everyone is in this together and everyone needs to work together to make it happen.
“Ignorance is not bliss. Businesses need to find the right support mechanisms and invest time in doing what is needed. Do not leave it too late as it could come back and bite you.”
Kimberley Barrett-St.Vall of Napthens added that training is the key to successfully preparing for GDPR’s impact. She said: “Ultimately as a business you want to breed a culture of compliance and transparency and therefore policies will be one step to achieving this, but training on its applicability will be key.
“Even if there is a requirement for your organisation to have a Data Protection Officer (DPO) s/he can not be in all places at all times, and therefore your staff are going to be key in ensuring the business is GDPR compliant. They will be your canaries in the coal mine.
“For all staff it will be important that they understand the relevant polices but also the changes in data protection, and that they know what their internal notification obligations are in an event that they commit a breach.”
Says Jeremy Coates of Magma Digital: “See it as an opportunity to get clarity where there may not have been clarity in the past.
“Where do we need to be more resilient? Are our backups fit for purpose? There are questions people don’t even think about day-to-day because it doesn’t really impact them. Now it will, and there’s an opportunity for business to get to know their organisations even better.”
Phil Brown of Napthens added: “Whatever the situation, don’t panic – there’s still time to understand how GDPR will affect your business, and what can be done to help.
“Napthens’ GDPR team will continue to update its clients on the issues involved and offer full support to make sure they are ready for May.”