This may be the first you’ve heard of it, but the European Union’s General Data Protection Regulation is coming and the deadline is May 2018.
Brexit or not, businesses and organisations have to abide by the rules or face fines – being unaware of the new regulations is no defence, so it’s a good idea to get cracking on your compliance ahead of the deadline.
Here are five easy steps to guide you along.
Review and Plan
This might seem obvious, but many entities won’t plan in time for the GDPR wire. You need to review your data protection methods – is all your data secure? Do you back up regularly? Are your servers monitored for intrusions and breaches? Is your consent procedure in line with GDPR standards?
These questions are just the start. It may be a good idea to bring in someone with a strong security background so they can help you get GDPR ready, like a managed service provider. This process will take some time, so if you want to meet the deadline, you need to move fast.
Look at Your Defences
The GDPR fines are intended to penalise businesses and organisations that have weak defences, so a priority is to create strong defences. You can try out penetration testing, or have a security audit performed by a company like Probrand, to sound out your weak areas and vulnerabilities.
If you have strong IT defences then you’ll also have strong back-up and data recovery processes so that if disaster does strike, you’re agile enough to recover before any serious damage is done.
Get to Know Your Data Protection Commissioner
Each EU country has a Data Protection Commissioner’s Office and if you have a data breach, you must notify the authorities. In the UK, this means the Information Commissioner’s Office.
By bringing in your commissioner you can get important advice for GDPR compliance and get your employees engaged with the process, so they know where to turn during a breach. The contact details for your commissioner should be easily available in your office. If a breach occurs you’ll be highly stressed so if the contact details are there, it’s one less thing to worry about. You have 72 hours to report the breach before fines are incurred, so the clock is ticking.
Compliance is a long process so you need to take care of things that are the biggest vulnerabilities and face things that are the biggest threats first. You should review your organisation to see what your first priorities are as everyone will be different. The length of time it’ll take each process is important, too – medium-importance but lengthy tasks should be started ahead of low-importance and not-too-lengthy ones, for example.
You may not be completely compliant by May 2018, so this is why the biggest holes need to be plugged first if you’re to avoid breaches and fines. If you already have very strong server security, for example, then put this on the back-burner and deal with your somewhat woollier data processing consent procedures.
When you’re all set, you need to implement your plans. You need to make sure all your employees know what GDPR is and how to comply and why they should comply. There will be new processes they’ll need to follow so they need to know why this is so they don’t cry “EU red tape!” and land you with a fine. If you need one, hire a Data Protection Officer to make sure you’re always compliant – it could save you a lot of money.