No need to panic: prepare for the GDPR with a technology risk assessment

No need to panic: prepare for the GDPR with a technology risk assessment

The General Data Protection Regulation (GDPR) is coming into effect in May 2018, and with just under a year to go, questions on whether organisations are going to be able to cope with the changes—and whether they can become compliant in time—are piling up. Compliance with the GDPR is mandatory, and the regulations are indeed more stringent and severe than those currently in place under the Data Protection Act (DPA). But if you act now, you have ample time to make the necessary changes and ensure the security of your company data is in keeping with the new regulations.

In this post, we’ll look beyond some of the scaremongering tactics that have nestled themselves in GDPR conversation, instead focusing on the ways in which you can prepare yourself and your company for the GDPR through a technology risk assessment.

Change for the better

To begin, let’s take a brief look at two of the biggest changes the GDPR will bring:

  • Increased Territorial Scope

The GDPR has a much wider reach, applying to all companies that process or manage the personal data of individuals residing in the EU. This means that companies based outside the EU dealing with individuals living in Europe will still be liable to the GDPR.

  • Increased penalties for non-compliance

Organisations in breach of the GDPR can be fined up to 4% of their annual global turnover or €20 million (whichever is greater).

A 2017 study from Veritas found 86% of organisations across the world are concerned that a failure to adhere to the GDPR could have a major negative impact on their business—and a further 20% feared that non-compliance could put them out of business altogether.

The same Veritas study found that 19% of respondents believe the negative media or social coverage surrounding the GDPR deadline could lead to them losing customers, while 12% thought that same negative coverage could cause their brand to be de-valued.

The UK’s DPA has been in place since 1998, and so a change to how we handle and process data is likely to cause some alarm. But while the incoming increased fines and added liability may seem daunting, this shouldn’t evoke panic. On average, firms are forecasting spending in excess of £1.1 million on GDPR readiness initiatives, but knee-jerk reactions may result in you buying new or seemingly proficient technologies that don’t truly fit the needs of your business, and you can end up wasting your investment or complicating matters further.

Patience is a virtue

Instead, you should first fully understand the technology you have in place and the level of control it holds over company data. A better understanding will help you assess whether more functionality is needed to keep compliant with new regulations.

The following are some of the preliminary steps your organisation should look to take in preparation for the GDPR.

  • Awareness

It goes without saying that one of the first steps towards GDPR compliance is awareness of the situation. You need to make sure that key decision-makers in your company are aware that data regulation laws are changing and what those changes mean for the business.

  • Information audit

With a wider territorial reach, it will help to start documenting all the personal data you hold. An audit of your company’s IT will improve the accuracy, relevancy and security of any recorded information, giving you better visibility over personal information in your company.

  • Subject access requests

At any time, an individual has the right to obtain access to their personal data and confirmation that it is being processed. You will have less time to comply to a request under the GDPR, so new timescales will need to be implemented.

  • Consent

The GDPR sees consent as an ongoing and actively managed choice rather than a one-off compliance box to tick off and file away. Businesses will therefore need clearer, more granular opt-in methods to services or subscriptions, for example, and must have an easily-accessible opt-out method at all times.

  • Data protection by design and data impact assessments

It’s recommended that you familiarise yourself with Privacy Impact Assessments (PIAs) and work out when to implement them in your organisation. We recently wrote a post detailing PIAs and their impact: GDPR: awareness versus action.

  • Data Protection Officers

If your business is a public authority or carries out large-scale monitoring of individuals, you must appoint a Data Protection Officer (DPO). The roles of the DPO involve informing and advising the business on their obligation to comply with the GDPR, so even if you don’t have to appoint a DPO, it may be a good idea.

The value of a technology risk assessment

A year is a long time to prepare for the GDPR, as long as you start now and act with a purpose. To start improving your data security and becoming GDPR compliant, your company first and foremost needs to examine the amount of hardware, software, cloud systems and mobile devices that can digitise customer information. To do so, taking a technology risk assessment can give you a quick and decisive overview of which areas of your business in particular will need work to become GDPR compliant.

At bluesource, we specialise in compliance, governance and technology risk assessments to help get companies of all shapes and sizes not just ready for the GDPR, but stay compliant well into the future. If you want to ensure your company’s data security is up to scratch come May 2018, talk to us today to see how we can help you.

Blogs,

06/07/2017

Tim Walwyn


back to knowledge hub
»