Will the GDPR affect me?
If two conditions are met:
- you have a presence in the EU, operate in the EU, or use/process the data of EU customers,
- and you employ more than 250 people,
…then unconditionally, yes.
If you have less than 250 employees but the data that you process impacts the rights of data subjects or includes personal data, then you’re on the hook for GDPR, too – and if you’ve ever stored a customer’s data, then that’s you.
Any business is much better off assuming that GDPR will apply to their operations, because the legislation firmly puts the burden of proof on companies, not individuals.
What is the timetable for GDPR?
It’s a bit late to ask that question. This isn’t a change with a process of gentle nudging towards compliance. There’s only one date which matters: May 25th2018, at which point the full force of GDPR is brought to bear.
What do I have to do?
That will depend on the resources at your disposal and the nature of the data which you hold and what you use it for.
But it’s worse than that. GDPR demands that businesses provide a “reasonable” level of protection for Europeans’ data, but what “reasonable” means is left open to question. That’s fair enough – companies use data in thousands of different ways. But it does mean that what constitutes preparedness is up to you.
That said, some basics remain the same:
Roles and responsibilities
GDPR is big on identifying responsible parties. There are some specific roles enshrined in law, and you should work out who’s who, even if they are the same person:
The Data Controller:
The manager responsible for the architecture and operations of the business who decides what data is used in an organisation, how it is processed and who does the processing - even if it is an outside body.
The Data Processor:
The person or people who actually process data on a day-to-day basis. This includes outside bodies (for whose activities you may still be liable).
The Data Protection Officer:
Required for any significant holder or processor of personal data, a new role designed to make compliance proactive and a strategic contributor to the business.
Audit your data
You should also examine what data you hold. For most of us, this will amount to customer data – names, addresses etc.
But anything of a personal nature – health data, social security numbers or information on ethnic background, for example – will demand GDPR-compliant treatment. Even more importantly, if you use or store web browsing information in any way (and many businesses do this automatically without even knowing) – data such as IP addresses, information from cookies or location-based insights – all this will demand GDPR compliance. If you use a third-party marketing agency, it is essential that you validate their full compliance.
When you know what you need to achieve, you can start to plan effectively and realistically.
- Recruit/hire your DPOif you’re going to need one. It would be mad to embark on GDPR without getting your DPO involved. If you’re not going to hire a DPO, get alternative help if you feel you need it, even on a short term basis.
- Put together a team - this should at least include a board-level sponsor, IT and legal expertise. Involve a representative of every team involved in processing data. If you have a Chief Data Officer and/or Chief Information Officer, get them (both) involved.
- Conduct a gap analysiswhich will identify what you need to achieve to maintain compliance and where the gaps are. This should not be theoretical: learn what it’s actually like on the shop floor. Ask what your team need to be able to continue doing their jobs – otherwise you’ll put in place systems which fall by the wayside within weeks.
- Invest to solve problems - this won’t be free of charge, but it needn’t be expensive. Put compliance down as a cost of doing business.
- Test the priorities!GDPR compliance isn’t a one-off, and you should regularly test your resilience .But even before GDPR comes into force, there are some priorities which represent the ‘spirit’ of GDPR and which really matter to regulators. You should make testing them a priority. In particular:
- Documentation:being compliant is only the start. You need to be able to prove it. Make sure you can document your data lifecycle (and make sure it’s not a massively time-consuming job to do so!)
- Impact assessments:GDPR also requires you to mitigate the effect of data breaches by understanding what their effect (both on customers and your business) might be, with Data Privacy Impact Assessments (DPIAs). It’s a useful form of preparedness, so demonstrate some commitment to understanding impacts before a crisis actually happens.
- First response:Data breaches are going to happen, and the regulators know it. What matters is how well you respond; and the GDPR demands that breaches are reported within 72 hours. Again, get your crisis plan in place and test it!