The General Data Protection Regulation (GDPR) represents the biggest change to personal data regulation in a generation. It will affect almost every business in the UK, whatever its size. It comes into force on 25 May 2018 and it has global applicability. You need to be aware of its provisions, and start working towards achieving compliance for your business.
The General Data Protection Regulation is new legislation that governs the way personal data is collected, stored and processed. It represents a major change from existing legislation and will apply in the UK even after Brexit.
Essentially GDPR hands the ownership of personal data back to the individual, and gives us, as individuals, rights over how our data is stored and used. Businesses that comply with GDPR will not only improve their own data governance, data management and security, but will benefit from an improved trusted relationship with their customers and prospects. Ultimately establishing trust between individuals and the companies from which they buy goods and services, and reassuring them that their personal data is safe and secure when they provide it, can only be a good thing for both the individual and business.
The primary assumption in GDPR, which is different from the existing Data Protection Act, is that data will be compromised, lost or stolen. Complying with its provisions will minimise the impact of such data breaches on both the company and the individuals whose data is affected.
We’ve explored some of the implications in a series of blogs, we’ve discussed its impact on the Charity sector in particular, and we’ve published a 4-page white paper on the key provisions. To find out more about GDPR itself, just follow these links. You should also visit the Information Commissioner’s Office website – the ICO is the UK regulator; its website is full of useful information about the regulation and advice on how to set about achieving compliance. It has also recently introduced a small business advice service that you can call, free of any obligation, to seek advice on how GDPR affects you and how you should approach it.
GDPR is so comprehensive that other jurisdictions and many global businesses are considering adopting it as their default personal data privacy legislation. If your business processes the personal data of European residents, whether B2C or B2B, wherever in the world you’re based, then you are required to comply.
But let’s just start by saying that GDPR extends the definition of personal data, it changes the concept of consent, it introduces new guidelines on the way data should be stored and it gives individuals a new set of rights over their own data. GDPR is not a one-time box-checking exercise, it requires the implementation of processes and standards in the business’s everyday activity. These must be documented, maintained, monitored and regularly tested.
In order to help our clients achieve and maintain GDPR compliance, Cameo Innovations has introduced a set of GDPR services :
Your CI consultant will initially discuss the way the business operates and any legal requirements or obligations on data retention which may override the default provisions of GDPR. They will advise on the likely impact of GDPR and who in the business should be involved in the project. In collaboration with appropriate members of your team, they will conduct a detailed assessment which will include:
- how is personal data being collected
- how is personal data stored
- how is personal data processed and secured
- whether any third-parties are involved
- what processes are in place to manage data
- what systems are in place to detect a data breach.
The deliverables from this service are:
- a gap-analysis report identifying the activity areas and processes which will need to be implemented, modified or improved
- a set of recommendations on how to move forward.
This service will require an initial exploratory meeting of 2-3 hours followed by 1-2 days work in conjunction with appropriate members of your senior team to complete the detailed assessment and generate the gap-analysis. Our recommendations will usually be provided within 10 working days and we’ll arrange to present these to the senior team face-to-face. What you do with these recommendations is entirely your choice.
This will, of course, be different for each client, based on the gap analysis and recommendations produced in GDPR Preparation, but will very likely include:
- an information audit,
- encryption and anonymisation of data, and migration to a secure location
- on-premise updates of systems, processes and documentation
- business change, business process improvement and adoption
- implementation of ISO 27001 security controls
- implementation of secure, encrypted backup, security, access and authentication processes
- introduction of mobile device management to secure data on phones, tablets and laptops
- review privacy and data retention policy
- re-acquisition of appropriate consent from individuals where necessary
- review of supplier contracts to ensure they incorporate GDPR compliance
- review of employment contracts and employee data protection policy
- implementation of client data access portal to enable individuals to access, and maintain, their own data
- implementation of 72-hour breach notification process
- staff training
GDPR Maintenance & Support
GDPR isn’t just a one-time exercise. It requires ongoing compliance, maintenance of documentation and regular checks. Larger businesses, local authorities, and those that process personal data as a core business activity will be required to appoint a Data Protection Officer (DPO) to advise on ongoing activities and process improvements. In order to help with this, Cameo Innovations has introduced some ongoing services:
- DPO as a service
- Larger businesses will appoint a full-time DPO, but smaller ones may prefer to contract this to an external agency. CI is able to quote for the provision of a DPO service.
- GDPR monitoring service
- GDPR processes, procedures and documentation require regular (at least annual) review and testing – analogous to the regular fire drills you currently conduct to ensure everyone’s aware of escape routes, muster points and roll-call procedures. CI offers GDPR monitoring as a service.
- GDPR consultation service
- No business stands still. Mergers and acquisitions, changes in business focus and activity, updated advice from the regulator and availability of new tools and technology may all have implications for the business’s ongoing GDPR compliance. CI consultants are available to advise on the implications of such changes.