I know what you're thinking, "Oh no, not another General Data Protection Regulation (GDPR) blog!" But the countdown is well and truly on.
we know GDPR will come into full force on 25 May 2018 and organisations of all sizes are wrestling with the impact on their business. As an organisation that specializes in the secure storage of personal and company data, we thought we would share our thoughts and highlight a 5 step guide to GDPR Compliance.
1. What’s at risk?
The number one risk is the fine. Failure to comply with GDPR will result is a fine up to 4% of the total annual turnover or €20,000,000, whichever is higher. Therefore, it’s imperative that you look at your business and the impact you have on the data you hold because failure to comply will reduce revenue, profit margins and the valuation of the company. A practical and affordable strategy, policies and actions need to be taken to ensure your business complies with GDPR.
(Note: This range of fines applies to many of the core provisions of GDPR. Make sure you understand them all)
2. Base Line
Don’t panic! Assess where you are now, find your baseline and build from there. There are a number of new rights and obligations but many internal processes and systems can be re-used or just slightly adapted to meet GDPR. Don’t reinvent the wheel.
Take a step by step approach and if you can get some trusted advice, now is a good time to get it.
3. Senior Team
Make sure the senior management team of the organisation knows what it’s all about and what they need to consider
The GDPR will affect almost every aspect of an organisation, its key stakeholders and a range of business functions including marketing, human resources, information security, legal, product development and website development to name a few.
4. Understand the data you have and how it should be handled
The definition of personal data is expanding and specifically covers online identifiers - which is anything that contributes to identifying an individual or that links to identifying information including cookies and IP addresses.
Consent for example is one of the basis for processing. If your business relies on consent, you will need to review your policies and documentation as GDPR requires clear and concise consent in order for consumer data to be used. (Note: The burden of proof in showing that consent now lies with you)
5. Review internal procedures for data breaches & prioritize accordingly
For the first time, GDPR introduces pan-European data breach notification rules.
Data controllers must compile an internal breach register, regardless of whether a breach triggers a notification or not. The register should include detailed facts about each incident, its effects and remedial action taken or action that will be taken. A notifiable breach must be reported to the relevant supervisory authority within 72 hours of the organisation becoming aware of it. Failure to do so can result in the fines that we previously discussed.
Consider adopting a cybersecurity framework, carry out regular tests and internal training to ensure efficient processes are in place before 25th May 2018. As the saying goes; “Fail to prepare, prepare to fail” and this is no different with GDPR Compliance.
ClearCrypt Can Help
We can help you, even if just a little bit, on your GDPR journey. When it comes to data and bearing in mind Article32 - Security of processing which talks about implementing appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including the encryption of personal data.
Privileged, confidential or sensitive data must be protected at all times from intentional or accidental loss and the ClearCrypt range of devices is designed to make this cost effective, flexible and easy to achieve. In our ever-connected world, an encrypted USB device is not just an accessory but rather a necessity and the ClearCrypt range;
- Is flexible
- Caters for all your data storage requirements
- Is cost-effective.