As your business readies itself for GDPR – the regulations come into force in 2018 – a review of your existing data protection policies is crucial. Demonstrating compliance with the principles of the Data Protection Act has always been good practice. The eight principles under the current Data Protection Act have only been strengthened by GDPR.
GDPR also amplifies the importance of identifiable data protection policies. It does so by placing a new ‘accountability’ obligation on a company’s data controller (the person who determines the purpose for which data is processed and how it is used). In an important addition to the existing compliance framework, Article 5(2) of the GDPR states:
“the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
HOW DO I SHOW GDPR COMPLIANCE?
The enhanced data security principles don’t explain how controllers should meet their compliance obligations. It is up to every business to apply them to their own organisation. At Big Data Law in London we help businesses of all sizes interpret the rules and formulate appropriate data security policies. The goal under GDPR is to put privacy and the security of information at the heart of your business.
We help you achieve this in several ways, including:
- Identifying where threats to the data security of your organisation exist. This means minimising the risk of accidental leaks of information or breaches by disgruntled employees. It also means taking steps to reduce the risk of cyber attack.
- Advising on how you can train staff in data security.
- Working with your data protection officers to ensure they understand their roles and responsibilities.
- Undertaking a GDPR gap analysis and helping with the implementation of findings.
- Reviewing policies regularly to ensure they remain fit for purpose.HOW WILL GDPR CHANGE MY DATA SECURITY POLICY?
Bolstering existing policies in preparation for GDPR is essential. Some of the changes you will need to consider include:
- Consent – Individuals whose personal information you gather will have to actively agree to its storage and use. A pre-ticked box on a web page will no longer be sufficient to infer consent. You should have a system in place for demonstrating how you have obtained consent. In addition it will be easier for individuals to withdraw consent. When they do you must permanently delete their information (the right to be forgotten).
- Reporting breaches – If there is a data security breach you are obliged to report it to relevant bodies within 72 hours explaining how you intend to remedy the breach.
- Sanctions – Under GDPR the sanctions regime is much more punitive than now. Companies may be fined up to 4% of global revenue or €20 million.
THE BENEFITS OF ROBUST DATA SECURITY POLICIES
With the advent of GDPR it’s no longer possible to view data security policies as an add-on, something that’s optional or a ‘nice to have’. Appropriate policies, built specifically for your business must now be an integral part of your day-to-day commercial activity.
GDPR places new responsibilities on organisations. For many these seem unduly onerous. But taking the steps necessary to comply with GDPR will give your staff, clients and other stakeholders the confidence to know that you take data security seriously. Internally it should aid the correct management of information across your company.
If you would like to discuss the impact of GDPR on your business and how we might be able to help you address any concerns, call us on +44 203 670 5540 or +44 (0) 7545 813 894 or contact us online.