Summary

The GDPR is a new data protection legislation, effective 25th May 2018, designed to ensure that consumers have greater control over their data, while putting the onus on businesses to keep this information safe.

If your organisation has a presence in the EU, then it will need to comply with the General Data Protection Regulation. Non-compliance following May 25th, could result in detrimental fines to an organisation of up to £17.5m or 4% of its total worldwide annual revenue (whichever is higher). It is therefore essential that compliance is taken extremely seriously to avoid these penalties.

What are the most notable changes?

  1. Customers must actively tick a box that says that the company may add the data subject’s personal information to their database. If they do not, then their data must be removed.
  2. Customers will have a greater ability to access their data and see how it is being used.

Preparation

  1. Awareness

It is essential that your workforce and the key decision makers are aware of the provisions of the GDPR. Most employees will have access to some form of confidential information, and therefore possess the ability to put the entire organisation at risk if they are not well informed.

  1. Information you hold

Businesses are recommended to keep frequent and up to date records of the data that they hold, where it came from, and who it is shared with. This will help the business in complying with the GDPR accountability principle; a requirement that stipulates that organisations must be able to show how they comply with the data protection principles. It can also be used as an essential log, should there be a non-compliance issue.

  1. Communicating Privacy Information

Any business that collects personal data must provide the data subject with certain information such as the organisation’s identity and how they intend to use the data; communicated via a privacy notice. Under the GDPR there are some additional requirements that must be included in this document, such as an explanation of their lawful basis for processing the data, the data retention period, and a clear statement explaining that the individual has a right to complain to the ICO if they think that there is a problem with the way in which data is being handled.

  1. Individual’s Rights

Organisation’s systems must have procedures that allow them to easily treat the subject’s data as requested; for example, deleting their data or providing it electronically.

  1. Subject Access requests

It is important to put a plan in place to ensure that an organisation can handle data subject’s requests. The following must be taken into consideration:

  • Most likely, businesses will not be able to charge for complying with a request;
  • Businesses will have a month to comply (rather than the previous 40 days);
  • If a request is excessive then it might be possible to refuse or request payment;
  • If a request is refused, the data subject must be informed that they have the right to complain to the supervisory authority.
  1. Consent

With consent being at the core of GDPR legislation, it is essential to review how the business seeks, records and manages consent to ensure that it meets GDPR standards. Remember that consent must be freely given, specific, informed and unambiguous. This will require an obvious ‘opt-in’ box, and clear information included in the terms and conditions.

  1. Data breaches

Each business must have the correct procedures in place to ensure that a personal data breach can be easily detected. Following a breach it is likely that the ICO will need to be notified and the data subjects involved. Having clear processes in place to detect, report and investigate breaches will ensure that no unnecessary fines are incurred.

  1. Data Protection Officers

It might be a good idea to designate someone to regulate and take responsibility for the organisations compliance. Certain organisations that handle large scale processing of special data such as health records, are required to formally designate a Data Protection Officer (DPO).

  1. Determine your lead supervisory authority

If your organisation operates in more than one EU member state, it is essential to identify the lead Data Protection Authority and document it; this will be the state in which the main establishment resides. This only applies to organisations that have establishments in more than one EU member state or carry out processing that substantially affects individuals in other EU states.

Insurance

While there are only a few jurisdictions where GDPR fines are insurable, insurance against legal costs and liabilities following a data breach is widely available across Europe. Insurance policies can also incorporate GDPR training and consultancy to reduce the risk of a data breach.

All cyber insurance coverage offered by Safeonline provides businesses with the tools for GDPR-readiness via CyberScout. Their complimentary services assist businesses in complying with the new regulations, whilst protecting their balance sheets and reputation. CyberScout offers 24/7 protection to help safeguard the identity and privacy of policyholders, customers, members and employees. They can build customised programmes to help build brand loyalty and customer retention and as a result ensure that businesses quickly generate long-term recurring revenue.

Conclusion

Compliance is not a choice, it is an obligation. Forward thinking businesses should embrace the positives of GDPR, act fast and put in processes to become, and remain complaint now. GDPR provides a welcome opportunity to build a more trustworthy relationship with customers through greater transparency, while also providing businesses with a simple, clear-cut legal environment in which to operate.

 If you would like to discuss the GDPR further please get in contact with us via: cyber@safeonline.com