Companies woefully underprepared for GDPR
Posted in Blog articles by Matt Hodges-Long on 30/11/2017
General Data Protection Regulations
Six months from today, on 25 May 2018, organisations of all shapes and sizes must be compliant with the new General Data Protection Regulations (GDPR).
GDPR is the biggest change in data protection across the EU since the 1995 Data Protection Directive. Although companies have been given around two years to comply, it seems that many are behind with their preparations. As a result, they will struggle to meet the 25 May deadline.
What does GDPR cover
GDPR isn’t a set of guidelines for best practice, it’s a new set of laws. Ownership needs to be taken at all levels so as to ensure compliance and avoid costly fines.
- GDPR covers all companies worldwide that process the data of European Union (EU) citizens.
- It widens the definition of personal data and includes the ‘right to erasure’ meaning that any individual can contact an organisation and request that all data relating to them is erased without undue delay and at no cost. That includes any data that the organisation has sent on to a third party.
- It tightens the rules for obtaining consent to using personal information. Organisations must be clear on what personal data they are collecting and how it will be processed and used.
The role of technology
Technology will be a great enabler for GDPR. However, up until now, most modern technology has been designed to prioritise data capture over data storage. GDPR requires privacy by design, meaning that software, systems and processes must be designed and built to comply with the principles. This includes the ability to completely erase data, something not often seen in software.
The role of risk management
Risk management is one of the main tools employed to achieve regulatory compliance, particularly in matters related to cyber security. This is one of the main issues GDPR looks to address. Taking simple measures such as sharing information through a document sharing system rather than via email can reduce the risk of data breaches and enables automation of the erasure process. Our whitepaper “Stop Sending, Start Sharing”, earlier this year includes more guidance on this matter.
For more information, the Information Commissioner’s Office (ICO) website includes helpful resources and support, including a self-assessment toolkit to help you identify your current levels of compliance and 12 steps to take now to help you become GDPR compliant.