Data protection is becoming an increasingly pressing matter for firms.
On May 25, 2018, General Data Protection Regulation will come into effect, for all entities established in the European Union, or any entity that processes the personal data of individuals in the EU, and that offer goods or services or monitor their behaviour. (as customers, employees, or business partners).
|Lawfulness||Data should be processed only when there is a lawful basis for such processing (e.g. consent, contract, legal obligation)|
|Fairness||The organisation processing the data should provide data subjects with sufficient information about the processing and the means to exercise their rights|
|Transparency||The information provided to data subjects should be in a concise and easy-to-understand format (e.g. the purpose of consent should not be buried in a lengthy document of terms and conditions)|
|Purpose limitation||Personal data may be collected only for a specific, explicit, and legitimate purpose and should not be further processed|
|Data minimisation||The processing of personal data should be adequate, relevant, and limited to what is necessary in relation to the purposes for which those data are used|
|Accuracy||Data should be accurate and kept up to date|
|Storage limitation||Data should not be held any longer than necessary in a format that permits personal identification|
|Security||Data should be processed in a manner that ensures security and protection against unlawful processing, accidental loss, damage and destruction.|
|Accountability||The data controller is responsible for demonstrating compliance|
If companies fail to comply with these regulations, they can expect to have heavy financial penalties as well as, suffer serious reputational damage.
From a survey and conversations with executives, McKinsey identified common mistakes that firms are making when attempting to improve compliance levels:
- Misunderstanding the breadth of the regulation. Many executives did not fully appreciate the sheer scope of the GDPR, whilst others believed that complying would be taxing for their firms, and were doubtful that they would actually be able to comply by the time the regulations come into place.
- Uncertainty. There is some ambiguity as to how to interpret the requirements of the GDPR. The regulation provides principles (shown above) that it believes organisations should adhere to, however most companies have still not worked out how to put these in place. For example, under the principle of ‘Fairness’, what is to be understood by ‘sufficient’?
- Difficulty in identifying the additional security precautions required. As GDPR is believed to be similar to the Data Protection Act, firms are inclined to rely on their existing protocols for compliance. As records of activities expand, they must ensure that measures taken are proportional to risks attached to certain types of personal data, requiring a more structured approach to data risk management.
With this in mind, what precautions can businesses take to ensure that they are not left behind with regards to GDPR?
Taking observations from the industry, we outline some key steps that we believe to be vital for any organisation to take:
- Delegate the implementation program across multiple teams. The vast majority of GDPR programs will require multiple functions committing and sharing responsibility for change.
- Prioritise aspects of the GDPR and data assets that are critical to compliance. Many businesses believe that they will not be fully compliant by May 2018, so it is essential that the most important parts be covered.
- Make sure interpretations of GDPR requirements are established in house. Also highlight uncertainties in the requirements, whilst understanding what mistakes cannot be made.
- Assess current problems with compliance and plan how they can be confronted and managed.
- Build an inventory of all personal data stored within the company system, where the data has come from, what is done with it, what the lawful grounds for processing are and whom the data are shared with.
- Define an organisational date protection structure that includes more than just a DPO.
- Think about benefits of GDPR. Better data protection means increased levels of trust, better relationships with customers and better internal data handling.
Following these guidelines and understanding that GDPR will be key to getting any organisation on the right course to implementing the regulation by May 2018.
By failing to act fast, firms will face the consequences, so it is vital that all parts of an organisation prioritise the new regulation.