6 Things You Need to Know to Get Ready for GDPR before May 2018
15th January 2018
The EU’s General Data Protection Regulation (GDPR) requires that all organisations that carry, communicate or process EU resident data comply with data protection changes, regardless of whether they are actually based in the EU. If you do not comply you could receive financial penalties: up to 4 per cent of global revenues or 20 million euros, whichever is greater.
Your IT team may have awareness of the impending changes to data protection across the UK and Europe, however, that cannot always be said for all of your employees. The GDPR suggests that it is an employer’s responsibility to ensure that all their employees understand what the legislation is, the rights it gives individuals, and the responsibilities they have to ensure data is properly stored, processed and protected.
GDPR changes are expected to come into force on May the 25th 2018. What do you need to know and do before this date?
Your customers' personal data must be stored in the European Union
The transfer of personal data to non-EU countries will only be possible if a given country provides an adequate level of protection, a decision which will be taken by the European Commission. After providing the appropriate guarantee, this can be based on model clauses, binding corporate rules, approved codes of conduct and if both the sender and receiver have the “European Data Protection Certificate”. To put this in layman’s terms, personal data of the customers and the servers on which they are held, as well as any other records must be physically located in the EU.
You'll need to ensure any business partners, service providers, associates who handle your customers' data also comply. Sponge is ready on that front as both our headquarters and servers are based in sunny Scotland!
Customers have the right to erasure
Your customers will have the right to have their data deleted and their information forgotten if they request this after May 2018. This is part of a number of new rights granted to individuals and their personal data by GDPR. What that means is that they have the right to the permanent deletion of personal data processed by a company on the basis of marketing consent. This new data protection law applies to data stored digitally or in hard-copy (paper) form as well as any backup versions.
Again, any business partners, service providers, associates who handle your customer data will also need to comply.
Make sure that your organisation has an ongoing GDPR compliance plan
GDPR demands that companies comply with the rules; as was stated earlier, failure to do so could result in huge financial penalties. However, not only do you have to comply you will also have to demonstrate how you comply. You may have to implement more policies and statements, you will have to ensure that your senior management and staff are adequately trained. You can also undertake a Privacy Impact Assessment, which is a specific assessment process defined in GDPR, to determine what the risks are and how to mitigate them.
Further to this, you’ll need to do much more record-keeping and keep on top of your IT security; making sure that processes are up to date and appropriately tough. You may want to consider a compliance tracking solution, like the system we offer at Sponge. You can set your GDPR compliance requirements and Spark, our LMS, will automatically track it for you, highlighting areas where you may be at risk.
Employers have a responsibility to ensure all employees understand the legislation
The GDPR suggests that it is an employer’s responsibility to ensure that all their employees understand what the legislation is, the rights it gives individuals, and the responsibilities they have to ensure data is properly stored, processed and protected.
If you need help in training staff, we have online training modules that cover EU GDPR levels 1 & 2. The GDPR eLearning modules can be easily distributed to your employees via email and completed online, at any time, on any device, meaning they can do them at a time and place convenient to them – you don’t need a whole morning out of the office to do this training! Once your employees have completed the eLearning modules, you and your business will have clear documentation to demonstrate your GDPR compliance. Take a look here.
The rules regarding data breaches are about to get tougher
The rules surrounding the reporting of breaches of data, as well as the requirements to take technical and organisational measure to avoid them in the first place, have become much stricter under the new GDPR changes. Any significant data breaches must be reported to the local supervisory authority within 72 hours of discovery. You must also notify personal data breaches to the affected person(s) as soon as a data breach has been discovered.
Get proactive and start preparing now!
For any businesses that hold EU customer data, they should begin organising data immediately so that they don’t infringe upon any of the new GDPR rules by the time May rolls around. It’s not uncommon for EU data to be held in different departments, divisions or subsidiaries of large companies. This data will need to be protected and separated from other customer data; if you do run or manage a large organisation which holds a lot of customer data it may be worthwhile appointing a data privacy officer to enforce the new GDPR across your organisation.
Furthermore, it’s best to make sure that anyone handling customer data has the required knowledge on the new GDPR regulations and is GDPR compliant. Our training modules, as outlined earlier, can help you be prepared and would be a proactive step in bringing your organisation into line with the new GDPR rules.
If you need further support on becoming GDPR compliant, Sponge has partnered with GDPR consultancy, MercuryTide.
You can read the new regulations by clicking on this link. For more information about how we can help you and your business get ready for GDPR before May the 25th 2018, click on the link to contact us today.