GDPR: A Simple Guide for CEOs (and What to do Right Now)
[Since his article was originally posted we have created a new detailed slide deck. A link to download these slides is at the end of the copy below.]
If you don’t comply with the new GDPR, you can be fined up to 4% of your turnover or 20M Euros (whichever is higher!). The government is deliberately making this a major issue that you have to take seriously, and you have to get right.
OK, I’m listening – what’s this all about?
The new General Data Protection Regulation (GDPR) gives EU citizens more control over their personal information, and makes organisations that hold or use that data responsible for keeping it secure. The new legislation goes further than the existing Data Protection Act, and contains several specific requirements. It will take companies time to get ready, so you need to look at this now.
But, we’re leaving the EU so this doesn’t matter to us…?
Nope. The UK government has decided to include GDPR as part of UK law for the foreseeable. The UK has been a supporter of this initiative, so even after we leave the EU it is likely our government will continue to maintain this legislation in some form. Certainly, any business in the UK which handles data of EU citizens will be affected regardless.
So, the clock is ticking and there may be a lot for your business to do!
Firstly, what data are we talking about?
In summary, the European Commission defines the data as “any information relating to an individual”. More specifically they say: “It can be anything from a name, photo, email address, bank details, posts on social networking websites, medical information, or even a computer’s IP address.” That’s a pretty broad definition, and encompasses many pieces of data not covered previously.
What do you need to do to comply?
There are 7 key areas:
1. Appoint one of your directors to be accountable. The new legislation states any organisation where the core activities involve “regular and systematic monitoring of data subjects on a large scale” or large-scale processing of “special categories of personal data” (defined in the legislation) needs to appoint a suitably competent Data Protection Officer (DPO). Do you want this role and the accountability to fall within IT, marketing or legal (or elsewhere)?
2. Ensure proper safeguarding. Practically, your senior team will need to make sure you have safeguards and controls in place to ensure data is kept safe. GDPR suggests some specific measures like:
• Controls and procedures to ensure the data is kept confidential, is accurate, and is available when needed.
• Data should be anonymised and/or encrypted.
• You must be able to restore the data and systems quickly in the event of an incident.
• Regular testing and assessment of the effectiveness of your measures.
3. You must ensure your suppliers are compliant. GDPR puts greater onus on you to ensure that any supplier you use to process data will properly safeguard the confidentiality of the data. This is not their problem, it’s your problem!
4. Explicit Consent. You must ensure that people have explicitly consented to their data being stored and processed, and you need to make it easy for them to withdraw consent if they wish. You will need to be able to demonstrate consent has been given. This is a significant change, and it is unlikely that your current measures are sufficient, so quite a bit of work will be needed here. Importantly there is also a new statutory “right to be forgotten” for data subjects who want to have their data erased.
5. Be explicit and transparent. You will need to explain in plain language what data is held, how long it will be used/retained, and how to withdraw consent. That means reviewing privacy policies and processing notices to ensure they are drafted in plain language and contain all required information. Your data retention policies and procedures will need to be simple and appropriate.
6. Report Breaches. In the past, many people kept data breaches quiet but under the new rules they must be reported to the Information Commissioners Office (ICO) without delay and where feasible within 72hrs. This is quite a significant change and to do this it is likely many organisations will need to implement security incident reporting and response procedures for the first time! Record keeping becomes increasingly important.
7. More Subject Access Requests. It seems likely there will be an increase in people querying data as they become more aware of their rights, and you will need to meet more stringent timelines in how you respond to these requests. You will need new processes and responsibilities will need to be clear in order to make sure your teams are compliant.
Put simply, the government seem to be encircling companies with a range of requirements that force you to take data protection seriously. Companies can no longer be vague, be slow, or sweep issues under the carpet!
So what do I need to do now?
At face value, this seems like more of a quest than a project to implement these changes! However with early action and a methodical approach, ensuring compliance should be perfectly possible.
Step 1 – Right now, create a small budget and assign a board member to be accountable for this issue.
Step 2 – By the end of Q1 of 2017 ensure you and the Board understand what personal data is being managed or processed by your organisation. Where is this data being stored and how is it managed and used? What is its lifecycle within the organisation?
Step 3 – By the end of Q2 2017 your organisation will need to have a clear plan for compliance. The new legislation comes into force on 25th May 2018.
Freeman Clarke is the UK’s largest and most experienced team of part-time (we call it “fractional”) IT leaders. We work exclusively with ambitious organisations and we frequently help our clients use technology to beat their competition. Contact Us and we’ll be in touch for an informal conversation.