The General Data Protection Regulation (GDPR) is likely to impact smaller companies as a recent study shows that 82%1 of SMEs are unaware of the new legislation and will potentially be hit with large fines when it starts being enforced next year.
The GDPR will replace all the existing data protection laws across Europe and shape the way in which companies handle, protect and profit from data. All businesses and not-for-profit organisations that process personal data concerning employees, customers or prospects who are in the EU and/or are EU citizens fall within its scope, wherever in the world the company is based and even if the data is processed outside the EU.
In other words, European data protection law will now apply worldwide, and businesses have until 25 May 2018 to prepare.
So what exactly is the GDPR?
Through the GDPR, the EU recognises:
- The right to private life as a universal human right and
- The right to have one’s personal data safeguarded as a distinct, standalone universal human right.
It is by attaching rights to an individual’s data separately to the right attached to an individual, that the EU can demand EU-grade data protection standards on businesses in other countries. The onus is on businesses to determine if they are in scope. As you are reading AVAIL, it is a safe bet to say that your company is within its scope, but to qualify this assumption, consider three simple questions:
- Is your organisation based in the EU?
- Does your organisation handle data concerning EU-based individuals?
- Does your organisation do any kind of business with organisations to which 1 or 2 apply?
If you answered yes to any of the three questions, it is most likely that your organisation is in scope of the GDPR. Unless you are confident your existing data handling procedures are already compliant with the regulation, this means action needs to be taken now to prepare for the May 2018 deadline.
There has been a lot of noise in the IT press about swingeing fines and GDPR is frequently portrayed as the new corporate bogeyman. It has to be said these fears are not without foundation: a two-tier sanctions regime will apply and breaches of the law could lead to fines of up to €20 million or 4% of global annual turnover for the preceding financial year, whichever is the greater, being levied by data watchdogs2.
However, scaremongering is not a constructive approach. The good news is that correct implementation of the GDPR will not only ensure compliance and mitigate the risk of fines but, more importantly, will give compliant businesses a competitive advantage. That’s why Sungard AS advocates that organisations consider GDPR a central plank of business strategy that has high visibility with the Board.
Our Resilience consultants have drawn up a 12-step plan to guide you through the process.
- Brief senior management
Ensure the board is aware of the changes to data protection law and how this affects the business. Consider booking a Sungard AS GDPR Awareness Master Class for your C-Suite personnel.
- Kick-off a GDPR programme
This should be led by C-level executives (or heads of department in smaller organisations) and include the CEO, CIO, CSO and CCO or whoever is responsible for Compliance. The importance of having IT and Legal people speaking the same language and briefing the Executive cannot be stressed enough.
- Consider whether your organisation needs to appoint a DPO
The GDPR requires public authorities and other organisations whose core activities require regular and systematic monitoring of data subjects on a large scale, or that process a large scale of special categories of data to appoint a Data Protection Officer (DPO) who will guide the implementation of GDPR requirements and monitor compliance. The DPO should be the head of the data privacy governance structure, liaise with the supervisory authority (the Information Commissioner’s Office for UK businesses) and report directly to leadership. The ideal candidate will be IT conversant, and have good business acumen whilst also being proficient on all GDPR matters. Recruiting a DPO may prove time-consuming, so we advise customers to make this a priority.
- Update data governance policies and procedures to ensure they reflect the GDPR requirements.
- Analyse the GDPR and understand the legal implications for your business
Identify the risks associated with your business model and address them by means of adequate data governance. Where appropriate, streamline processes. Pay attention to processes that use personal data for profiling. Marketing, HR and Sales will probably need to adjust their ways of working to ensure compliance.
- Review your Record Management Strategy
Identify where personal data is being collected or acquired, the purpose for which it is being processed, and whether this data is shared with any other organisation. If this information is not currently available, a detailed investigation will be required so that all personal data and its flow within the organisation is accurately mapped.
- Run an awareness campaign in your company
Unless your business is a one-man band, you need to ensure that all personnel are aware and engaged in the quest for GDPR compliance.
- Challenge the basis under which personal data is stored, collected and processed
Review the more prescriptive GDPR definition of consent and determine if a new request for consent is necessary.
- Implement any necessary technical adjustments to ensure GDPR data rights are fulfilled
These are the right to be informed, to rectification, to erasure, to restrict processing, to object and rights in relation to automated decision-making and profiling and the new right to data portability.
- Review the current mechanisms for international data transfers
Be aware that the adequacy of Privacy Shield (which replaced Safe Harbour) is currently a subject of concern.
- Examine your supply chain
Ensure your efforts to comply are not undermined by engaging in business with non-compliant providers or business partners.
- Embed privacy in your operation
This is the only sustainable way to ensure compliance on an ongoing basis. GDPR is here and will be for the foreseeable future, even after Brexit.
Sungard AS can support you on your GDPR journey
Our consultants can help you initiate a GDPR compliance programme, develop the business case and establish a plan of action to gain competitive advantage by achieving cyber resiliency and regulatory compliance. To find out more, speak to your Account Manager, call 0800 143 413 or email avail@sungardas.com
Join us for a GDPR Breakfast Briefing
Sungard AS will be hosting a roadshow of breakfast briefings across the UK. Dates are currently being confirmed, but if you’d like to register your interest, please email events.uk@sungardas.com or call 0800 143 413.
About the author:
Rogelio Aguilar – Senior Consultant, Cyber Resilience, Security & Privacy – Sungard Availability Services
Rogelio studied Cybernetics and Computing Sciences in Mexico City, and gained an MSc in Information Security in London.
His areas of specialisation include Information Risk Management, Cyber Resilience, Data Governance and Regulatory Compliance.
He brings 20 years’ experience in the IT industry working with clients from the Energy, Financial, Retail, Broadcasting, Transport, Telecommunication, Legal and Education sectors in Europe and the Americas.
1 Survey of 821 IT and business professionals responsible for data privacy across the US, Canada, Asia Pacific (Australia, Hong Kong, Singapore, India), UK, Germany, Sweden, Belgium, The Netherlands, France, Italy, Spain and Poland conducted by Dimensional Research on behalf of Dell https://www.dell.com/learn/us/en/vn/press-releases/2016-10-11-dell-survey-shows-organizations-lack-awareness
2 http://www.computerweekly.com/news/450401190/UK-firms-could-face-122bn-in-data-breach-fines-in-2018