In an environment where the collection and use of personal data is integral to effective service provision, businesses should be marking the 25th May 2018 with a big red cross in their diaries as the countdown begins as to when the new data protection laws come into force. See also: 10 things you need to know about the new EU data protection regulation
The GDPR brings some significant changes to existing EU data protection laws, and for several organisations the appointment of a dedicated data protection officer will be required. Businesses will find that they are under a greater obligation to undertake privacy impact assessments and will need to place increased consideration on data privacy when creating new products and services (so-called "privacy by design"). For those who engage in international data transfers, stricter rules will also apply.
The new Regulation also places greater emphasis on data security, and organisations will find themselves subject to tougher security rules and a new data breach notification framework. Data protection authorities will be able to impose fines of €20 million or up to 4 percent of global annual turnover, whichever is the greater, where businesses are responsible for serious breaches of the Regulation. See also: UK organisations and the EU General Data Protection Regulation - risks, costs and rewards
Whilst two years may seem like a reasonable timeline, it's actually a relatively short period for businesses to get to grips with the new legislation and begin taking the steps required in preparation for it.
If the process hasn't already been started, then it's imperative that businesses begin now. The significance of the legislation warrants dedicated resource to oversee the adaptation of business processes in response to it, so the first step for organisations should be to put together a GDPR taskforce to map out and follow through on an implementation plan.
The new regulations will impact multiple groups, so a taskforce would require mixed representation from across the business, for instance from the IT and HR teams, legal and compliance officers and a senior manager with links into the board to ensure a thorough review is undertaken.
Review data management processes
Once established, the taskforce needs to start giving consideration to the information they currently hold. They should begin a review of existing supplier contracts and conduct an audit of what personal data they store, how it is being used, to whom it is being disclosed and to where it is being transferred. A full and comprehensive understanding of the current position from the outset will prevent any stumbling blocks further down the line.
A revision of existing privacy notices may also be required and it would be sensible to consider the development of a template for a privacy impact assessment for any upcoming projects that involve high risk data processing.
In addition, the processes for handling subject access requests will need to be looked at, as it'll be necessary to ensure that the organisation is able to meet a more challenging deadline for response under the new regulation.
Put data breach reaction procedures in place
For businesses which do not have existing procedures for notification of data breaches to the data protection authority, the creation of a protocol will be absolutely critical. In the event of a breach, timing, accuracy and transparency is key, and failure to respond appropriately could have significant consequences.
Compliance with the GDPR may appear to be a daunting challenge, but for organisations which take steps to understand and prepare for the requirements immediately, the process will be feasible within the given timeline.
Article 29 Working Party, the body representing data protection authorities from across the EU which will be replaced by the European Data Protection Board, have announced that guidance will be issued to help organisations with the compliance process for the GDPR.