Plenty of UK businesses have admitted they aren’t fully prepared for GDPR. With less than two weeks to go, Alastair Hartrup provides some last-minute advice to those business who may still be struggling
We are less than two weeks away until the General Data Protection Regulation (GDPR) goes into effect and organisations need to ensure that they are ready, or they risk suffering the consequences. We understand that the GDPR is a long and complicated document and so we want to help break it down for any enterprises who are still a little lost, starting with: who within your organisation will need to react to GDPR?
First to act
GDPR effects every employee within a business. It is not something that can simply be delegated to one employee or team, that can then be the scapegoat when things go wrong. Everyone from CEO to the interns must make sure that the company is complying. But in the case that something does go wrong, who should be the first to act?
Under GDPR, the first member of the business to act should be the Data Controllers within the IT department. The Data Controller’s role is to report a data breach to a supervising authority, for example the police, within 72 hours of noticing the breach. From there, specific individuals related to GDPR must be notified if the supervising authority deems the attack to have an adverse impact to a company’s data. Once determined, a Data Processor must notify a Data Controller as soon as possible with the full details of the attack. Neither the Processors nor Controllers, however, must notify the subjects of the data if the data itself is anonymised i.e. if the data has undergone encryption and other protective measures to ensure its secrecy.
So, how can companies make sure that they are compliant when GDPR is taken into effect? Well, the first, and most obvious, step to take is to have a plan ready.
The position of Controllers and Processors was already mentioned above but these are not the only roles your industry needs. A new position dedicated to data protection is a must. Having someone whose job is solely to make sure your business is compliant is very important. They can become the person to contact for data protection authorities, consumers looking to remove their data and any other professional ensuring your business is remaining compliant.
From there, companies should be proactive and transparent in demonstrating accountability for all processing activities. Enterprises need to be examining how data flows across borders, both within the EU and outside of it. Businesses also need to ensure they have systems in place to notify individuals and authorities should a breach occur.
As stated earlier, notification is not required for breaches involving anonymised data, but companies should examine their encryption solutions to ensure their private data is, and remains, private. They also need to comply with the right to be forgotten should an individual ask for their data to be erased.
The biggest consequence of failing to meet the GDPR legislation is the amount of money a company will lose, and not just from the fine. The GDPR fine that companies will have to pay is equal to 4% of their annual global revenue or €20 million (£17.5 million) maximum. This is already a pretty high price, but it is not even the whole cost as you have to consider that if an enterprise suffers a data breach they will have to pay the ransomware as well.
Then there is the long-term brand damage. The perfect example of this is the recent Facebook data scandal that caused a mass deletion of Facebook accounts by their users and saw the CEO, Mark Zuckerberg, before the US Congress. This has no doubt caused a loss of profits for Facebook and while they are a big company who can take the hit, any smaller businesses hit with equivalent damage to their brand could see it crumble away along with all their money.
GDPR is designed to light a fire under businesses to encourage the implementation of stronger security measures and to better protect their networks and data. It also persuades enterprises to report any breaches a company has been hit with as soon as possible, other than hide them away, or they risk great fines. It also makes it a legal obligation to configure security systems to ensure data privacy and consumer protection is the highest priority.