Businesses have nothing to fear from the new regulation, writes Harshini Carey
The EU Data Protection regulation becomes active on the 25th of May 2018 and the press is full of stories that may encourage panic. Rather than dreading the readiness process there is plenty of help out there that can aid your planning and enable you to put your systems in place.
The EU GDPR contains requirements on how businesses shall process and protect personal information. The many requirements set out in the regulation will call for new forms of co-operation between different departments in a firm such as legal, IT and the company management. Depending on the size of your company you may also require a Data Protection Officer.
Implementation first and foremost requires the correct administrative understanding of the tasks involved. Including;
- Setting the requirements in your own organisation’s handling of sensitive information.
- Setting the requirements for your organisation’s suppliers handling of sensitive information.
- Setting the requirements for the systems you use for data processing.
For many, the task of keeping the sensitive information they handle safe, is nothing new. What is new is that the EU GDPR sets a requirement that you must be able to describe how keeping data safe is intended before you go about doing it. Then, it must be possible to show on-going compliance with your own policies, procedures and guidelines.
So what do you actually need to do?
We like to split the important stages of compliance into 7 phases and it is vital for companies to understand each phase and what they can do to streamline their procedures within each:
Phase 1 is the identification phase. You need to define what your organisations core activity is. This encompasses such things as a mapping of all the company’s data: Where is the data, who has access to the data and in what processes is the data used?
Phase 2 is Gap Analysis. The results of the identification phase are compared with the requirements set out in the EU GDPR so that it is clear what gaps the organisation has with regards to complying with the regulation.
Phase 3 is the Privacy Impact Assessment (PIA). A PIA is a basic assessment of the registered party’s (for example your customer) level of protection. The purpose of a PIA is that a worst-case scenario for the registered party shall be considered, anticipated and thereby avoided.
Phase 4 is the implementation phase. Launch your data protection system.
Phase 5 is Contingency Planning for a leak:
In cases where a leak of sensitive information occurs, the EU GDPR contains a new requirement that private and public enterprises must inform the relevant authorities. The following information will need to be disclosed:
- What types of data were leaked?
- How many registered parties does the leak involve?
- What are the consequences to those registered parties?
- What has been done to ensure that this does not happen again?
The methods of informing the data leakage-public announcement, personal letter or emails.
Phase 6 is ongoing management, monitoring and follow up. It’s best to use an annual cycle to distribute the tasks of EU GDPR compliance throughout the year so not to put staff under pressure at one particular time.
Phase 7 is Awareness. Ensure that all your staff are familiar with their responsibilities. To some this will be new, and time needs to be taken for education and management.
Overall all our advice is to get your systems in place as soon as possible; seek help to streamline all the processes required and GDPR will not be a headache.
Harshini Carey is Regional Director UK at Neupart
