First announced in 2012, the long awaited European Union General Data Protection Regulation (EU GDPR) now looks set to come into force in spring 2018. In the current climate, where it seems we cannot go a week without a data breach or cyber-attack being reported (with December’s Weatherspoon hack the biggest recent example), the new regulation can’t come too soon, writes Jonathan Armstrong, pictured, Partner at Cordery and Legal Advisor to software firm Absolute.
And we’re already seeing some regulators use aspects of the new regime to enforce good data security standards. European data protection laws haven’t changed too much since 1995, when the Data Protection Directive was introduced. This seems like a lifetime ago when you consider how the data landscape has changed. For example, twenty years ago only one per cent of Europeans used the Internet, and in the past two years we have created more data than the past 2000. The EU GDPR has been designed with this in mind, and represents far more than just a fine-tuning of the existing Regulation.
When it comes into force, the EU GDPR will have much stricter requirements for reporting data breaches and safeguarding customer data than currently exist. For example, everyone affected by a breach will usually need to be told if their information has been compromised, authorities must be notified of a breach within 72 hours, and companies over a certain size will need to appoint a data protection officer. Not only have the rules changed, but also the punishment – there will be increased sanctions for data breaches, including fines of up to four per cent of an organisation’s global annual turnover.
Despite this, far too many organisations have not yet begun to think about the impact of the EU GDPR on their approach to data protection. With the stakes so high, businesses cannot afford to be complacent about complying with the EU GDPR. The sooner businesses are able to prepare and ensure they’re compliant with the upcoming law, the better their chances of not falling foul of it when it comes into force.
With this in mind, we’ve compiled some essential top tips, outlining the actions that businesses must undertake now to ensure compliance.
1. Understand the impact: Put in place a data protection impact assessment so you understand how your business will have to adapt to the new Regulation, and the potential impact of a breach
2. Thoroughly review vendor contracts: Vendors’ help will be needed to ensure compliance, especially in reporting security breaches. Organisations should make sure they have the contractual rights to insist on this and they should make sure that they can hold their vendors to account in the event of them causing a data breach.
3. Get the team together: Businesses over a certain size or doing certain things with data must recruit a Data Protection Officer, with smaller companies appointing someone responsible for data-related matters. You’ll also need to make sure you have the right resources in place to ensure compliance.
4. Update everything: Ensure new detailed documentation and records are ready for production for regulatory inspection – factor this into overhead costs
5. Day to day implementation: Review how all of the key practical aspects of the EU GDPR, such as data retention and destruction, applies to all means of collecting data used by your organisation. If there are any discrepancies, then you need to review that particular method of collecting data
6. Create processes: Put in place a data breach notification procedure, covering detection and response capabilities. It is also worth considering purchasing data breach protection insurance
7. Demonstrate compliance: Create compliance statements for annual business reports. Not only will this show the wider world that you’re compliant, but it will also ensure a consistent focus on this throughout the year.
8. Deliver effective training: This has never been more important, given the EU GDPR will be completely new to many of your employees. It will be vital that your staff are thoroughly trained on all of the above.
There will be considerable challenges to comply with the new rules. The less time your organisation has to make sure all of its systems and processes comply with the new rules, the harder it will be. What’s more, rushing through the changes needed will inevitably lead to errors, which could result in breaches and heavy fines. However, a measured approach, using the time available, will allow you to successfully navigate the increasingly stormy seas of data regulation, and reach compliance before the EU GDPR hits with full force.
