GDPR: how prepared should you be?

The GDPR deadline is looming and most organisations are still not fully prepared: What's the best approach to the GDPR and which lines of business need to be aware of the coming regulation?

By Jo Best

Sun 24 Sep 2017 @ 14:45

Organisations still have until May 2018 before they need to comply with the EU's General Data Protection Regulation (GDPR). However, given the scale of change the GDPR will bring to how organisations gather and handle data, the groundwork should be well under way.

The GDPR affects any organisation that collects and processes data on EU citizens, regardless of whether or not those organisations are based in the EU. And, for those hoping Brexit would be a get-out-of-jail-free card, there's no escape route there either – the UK government has already signalled its intention to enshrine the GDPR in UK law even after Britain has left the European Union.

In short, there are very few organisations doing business internationally that shouldn't have the GDPR on their agendas right now.

For those that don't comply, the penalties may be significant: organisations not meeting some of the GDPR's requirements could face fines of up to €20m or four per cent of their turnover, whichever is greater. And although the UK data watchdog, the Information Commissioner's Office (ICO), has said fines will be a last resort, compliance remains important for organisations to ensure their customers' and partners' data are treated appropriately.

But how prepared are organisations for next year?

According to one recent survey, 55 per cent of companies in the UK, 70 per cent in the EU, and 93 per cent in the US hadn't started preparing for the GDPR as of June. With less than a year to go until the GDPR comes into force, it's not too late to become compliant in time, but preparations need to be started as soon as possible to ensure the EU's deadline is met.

Businesses should at least have prepared for the GDPR by reading and analysing the regulation's 173 stipulations and getting to grips with how it will affect them and their industry, enlisting the help of third parties if necessary. They should also understand whether they are classed as a data controller or a data processor, and what the GDPR means by these terms.

While not all organisations are of sufficient size to need to appoint a dedicated data protection officer (although it's mandatory for all public-sector bodies and for any private-sector organisations regularly processing large amounts of data subjects or data of a sensitive nature), they should ideally have appointed an individual who will be charged with GDPR compliance and have that person draw up a plan for how to meet the May deadline.

If this hasn't been done already, organisations should make it a priority. That individual should also oversee the communication plan of how the GDPR will affect the organisation, from staff members to board members, and make sure that HR, finance, legal, marketing, IT and any other relevant lines of business are up to speed on their obligations.

Perhaps the toughest and most time-consuming part of meeting the GDPR for organisations is assessing how far away they currently are from complying.

Not only should organisations know what data they hold on their customers, they should also be aware of how it was gathered, and who it's shared with. An information audit can help here. Once that's been done, organisations can move on to working out how they would export or delete such data in line with the GDPR.

At this stage, organisations would be wise to begin examining any privacy notices on their websites, and assess whether they will need to be changed to meet the GDPR. Similarly, businesses should review how to get consent for gathering data from individuals, and whether it's sufficient to meet the GDPR.

How prepared organisations should already be for the GDPR ultimately depends on their size, their industry and the nature of their business. However, at the bare minimum, each one of them should have a clear plan for meeting the GDPR's requirements on, or before, the deadline.

And irrespective of the possible fines, organisations should see the GDPR as a golden opportunity to improve their data handling and security practices.

Get the facts and be prepared for the GDPR with our white paper.