Although the new General Data Protection Regulation (GDPR) is mainly aimed at companies with more than 250 employees or high volumes of data processing, all companies will need to be compliant, and it is important to demonstrate that you have taken steps to address this as significant fines may apply, arising from audits, inspections or reported data breaches. Also, you may be asked to complete a data security questionnaire by customers or suppliers if you are handling data on their behalf as they may wish to ensure you are compliant.
Personal data must be processed in a way that is lawful, fair and transparent. This means that consent must be given and you must make it clear exactly how you will use the data. For example, you no longer have the right to profile customers based on their identifying information and behaviours, without their explicit consent.
Below are steps that startups and SMEs can take to be ready for May 25th, 2018.
Carry out an internal audit to identify all data processing activities, policies and procedures that involve personal data of customers, suppliers or employees.
Identify the personal data you have and the legal basis to process it. Map the flow of personal data through your organisation.
Assess and mitigate potential risks to personal data and conduct a technical review and vulnerability assessment of your IT systems.
Assess if your current systems meet the ‘3 Pillars of Information Security’:
- Confidentiality: protecting the information from disclosure to unauthorised parties.
- Integrity: protecting information from being modified by unauthorised parties and ensuring it is correct.
- Availability: ensuring that authorised parties are able to access the information when needed.
The internal audit and risk assessment will allow you to produce a gap analysis between where you are currently at and what the regulation requires. You can now put an action plan in place, which will comprise of the steps below.
Policies & Procedures
Consent: evidence of consent should now be sought and retained. Consent needs to be unambiguous and so it may not be appropriate for it to be buried within a contract. Similarly, implied consent or pre-ticked boxes would not be enough.
Access to personal data: the time limit on fulfilling an access request has changed from 40 days to one month.
Right to be forgotten or ‘erasure’: this is the right to have your information deleted, and, if it has been shared with 3rd parties, they must also be made to delete it.
Right to portability: this is the right for an electronic copy of their data to be sent elsewhere.
Right to rectification: in cases where the data is incorrect, affected individuals have the right to have their data updated.
Breaches: you need to have a procedure in place for how to handle data breaches, which now need to be reported within 72 hours. You must also maintain a breach register.
An example of an area you might review could be a webform, where you now:
- Ask only for the minimal amount of information required;
- Use clear and plain language;
- Make it clear what the data will be used for;
- Confirm that you will not share the data with a 3rd party;
- Inform them how they can withdraw consent at any time;
Contract Review and Remediation
Where necessary you may need to update contracts with suppliers, 3rd parties who are processing data on your behalf or the employee handbook and policies, and communicate these changes to those affected.
Training and Awareness
You will need to make all employees aware of the new policies and procedures, and where necessary give specific training. You should keep documented evidence so that you can prove at any point in the future that you have sought to comply with the legislation.
Insurance for GDPR
Fines relating to data breaches could be quite high, and it is recommended to talk to your insurance company or broker to ensure that you have adequate cover in place; better safe than sorry!
Note: this content first appeared on https://sustainedgrowth.ie on March 13, 2018.