With the new European Union General Data Protection Regulations now less than a year away, it was expected that the vast majority of companies that it will affect would be some way on in their preparations. However, as the weeks roll on, it seems that not only are may organisations not preparing sufficiency, some are not preparing at all in the belief that the new law will not affect them.
According to a new security report from data security experts NTT Security “Business Security: Always a Journey, Never a Destination,” three-quarters of non-IT leaders at U.S. firms believe that the European Union’s (EU) upcoming General Data Protection Regulation (GDPR) does not apply to them.
It comes hot on the heels of a survey from Consult Hyperion that found that many organisations across the world are not actively engaging with GDPR preparation and were risking high fines. Consult Hyperion estimate that nearly €5bn of fines could be levied on them between 2018 and 2021. We’ve also seen a survey from Nexsan, the leading cloud service provider that saw 50% of all UK based organisations still do not understand what GDPR is as well as a report from London law form Hamlins LLP that said hundreds of thousands of UK businesses are risking larges fines after more than 70% have failed to budget for GDPR implementation.
So what should businesses be doing? These are five basic steps that all organisations should be taking to prepare for GDPR.
GDPR Affects The Whole Organisation
Even amongst companies that are actively engaging with the new European General Data Protection Regulations, many are still seeing at something that is an ‘IT thing’ or a ‘marketing thing’. It’s vital to realise that this is not the case and that GDPR affects almost every area of a business. From legal and accounting to sales, marketing and customer service, everyone needs to be aware of the implications of the new regulations and operate with a common goal of meeting its requirements.
Assess What Impact GDPR Will Have
It is crucial that organisations survey all of the data that they possess from customers, employees or any other individual) and check as to how that this will be affected by GDPR. Business contacts should also be included which means that GDPR scope is wider than many people realise.
Plan And Use The Least Data Possible
When planning new projects, it is wise to do so with the intention of using the least amount of personal data as possible without compromising the effectiveness of your project. This will shield you as much as possible from any possible data breach.
Test Your Procedures
You should ensure that you test your procedures for meeting individuals requests for data erasure or data access. Using as little data however will help you avoid the need for these requests as well as helping you avoid having a breach.
In the unfortunate event that an organisation has a data breach, it is crucial that they have a notification plan that ensure they contact a supervisory authority with 72 hours and notify all affected data subjects. Failure to do so can result in big fines of €20 million or 4% or annual global turnover – whichever is higher.
More information on how to prepare for GDPR can be found in our GDPR FAQ.