GDPR Compliance: Why You Need to Get Your House in Order

12 September 2017

Are you on your way to GDPR compliance? The General Data Protection Regulation or GDPR, is a robust, 88-page regulation which is a game changer in privacy law and will almost certainly affect how organisations do business if they control the data of any EU citizen.

The new regulation was created to give consumers a greater say in how their personal data is used and bring current data protection legislation up to date. The idea is that by doing this, businesses are given a simpler, clearer legal environment within which to operate. The purpose of this article is to give you a GDPR summary and help you get GDPR compliant.

GDPR Summary: What it Means for You

Although it's not quite panic stations yet, the law will apply from the 25th May 2018 meaning that you have a little more than 8 months to get your GDPR house in order. This means that your 'house' will need to keep records of all personal data, prove that consent was attained, show where the data's going, what it is being used for and how your organisation is protecting it - which is no easy feat.

GDPR 2.png Image was sourced from: istorage-uk.com

If you want to grow your paranoia just a little more then you can also find a real live GDPR doomsday clock right here.

Why GDPR Compliance Should Concern You

Although your IT department is probably aware of the GDPR regulation, according to a snap survey from Imperva, only around half of IT professionals are preparing for the May deadline.

Currently, just 43% of IT professionals are measuring the potential impact of the data protection directive on their business and updating their practices.

The EU data protection regulation doesn't just apply to organisations inside the EU either. Any organisation dealing in data that belongs to EU residents will be liable to the new penalties that come with the new regulations.

To understand better how you can stop your organisation from falling foul of the new regulation, read the article:

RACI Matrix: Chart, Model and Discover How to Identify the Process

How Exactly Can You Use Data Under the GDPR Regulation?

Both 'Controllers' and 'Processors' of data need to abide by the new data protection regulation.

A controller is any organisation that controls the data and how it is processed.
A processor is most likely either that same organisation or an IT firm that initially captures and processes that data.

The tightening of the screws in regards to how you use data means that you must process data lawfully, transparently and for the specific purpose you have stated and collected the data under. Once that purpose has been fulfilled, your organisation would need to delete it.

Image was sourced from: trustmarque.com

What This Means For the UK Before and After Brexit

Brexit is largely irrelevant for the incoming GDPR regulation. As previously stated, even countries that are already outside of the European Union will need to get into line with the regulation when dealing with data of those inside the EU.

Adrian Davis, managing director EMEA at security certification organisation (ISC)² explains that “Whether we like it or not, the European Union GDPR will be a part of the privacy and cybersecurity landscape for a while yet. GDPR will be a legal requirement before Brexit occurs – and, once we leave, we will still have to follow its obligations if we handle the personal data of EU citizens...but more than that, GDPR really sets the bar for how we and our organisations look after the personal data of our customers, our staff and ourselves – and sets the bar high.”

GDPR Compliance and Triaster

It is key that your organisation is able to understand the key elements of the regulation, audit your current data protection measures, document all the information you have and ensure that your on-going data collection and management procedures are GDPR complaint.

This will be a time consuming process for any organisation, meaning that you will most likely need a third party system to manage it for you.

At Equifax, the Data and Analytics team have data groups and data assets that they have to map - each will need it's own journey meaning that it will be a long and laborious process to make their processes GDPR ready but they will be able to use Triaster and their Process Library HUB to capture and publish their processes.

If you want an extensive rundown of Triaster's capabilities as a management platform then click here.

What are the Potential Penalties?

Image was sourced from: itgovernance.co.uk

Failing to comply with the new law could lead to a fine of up to £20 million or 4pc of global annual turnover (whichever is highest).

Security firms will also need to make sure their security systems can spot breaches quickly; under the GDPR any breaches must be reported within 72 hours of the initial break-in.

4 Tips To Help You Get Ready

(ISC)² is in the process of implementing GDPR across the organisation before the 2018 deadline. Managing Director Adrian Davis has four tips to help you get ready:

Getting buy-in from senior managers and business functions is vital as GDPR affects every part of an organisation.
Don’t view GDPR as a technology issue; making your people and processes GDPR-intelligent is just as important as the bits and bytes.
Build on your current successes; compliance to international standards such as ISO 27001 or PCI-DSS or data protection legislation will help your GDPR efforts significantly.
Run your GDPR efforts as a project and adopt a stakeholder-centric approach within your project framework.