This may feel like a long way off but the obligations on businesses are onerous and the time to prepare is now. The hefty fines that GDPR promises will come into force immediately so businesses are being given plenty of warning to put procedures in place to ensure they are compliant with the regulation. Read this essential guide to getting GDPR ready.
2. e. hello@novi.ie t. +353 (0) 1 621 8633 novi.ie
The EU GDPR (General Data Protection Regulation)
comes into law on 25th May 2018. This may feel like a
long way away but the obligations contained in the
regulation are onerous and businesses need to be getting
ready now! The regulation will be applicable immediately
once the date arrives so businesses are being given
plenty of notice to get systems and processes in place so
that they are compliant.
So what’s the GDPR all about?
The GDPR introduces stricter data protection rules for
organisations that operate in the EU market and process
or hold the personal information of EU citizens.
The GDPR is designed to increase the privacy of
individuals and protect their personal data. Hefty
penalties may be laid on companies who experience data
breaches, with applicable fines of up to €20m or 4% of
global annual turnover, depending on which is greater.
Businesses are well advised to begin now (if you haven’t
already started!) putting in place procedures and systems
that ensure compliance and protection against potential
data breaches.
As cyber criminals get smarter and find more and more
ways to hack into companies’ databases, the risk of a
breach is increasing all the time. Unprotected companies
are not only risking their reputation with their customers
but when the GDPR comes into effect they will also be
liable to hefty fines in the event of a cyber-attack on
their data.
What are the implications for my business?
The GDPR places onerous obligations on companies to
demonstrate compliance, requiring them to:
1. Maintain certain documentation
2. Conduct a data protection impact assessment
3. Implement data protection by design
4. Prove clear consent to process personal data
5. Appoint a Data Protection Officer for large scale
data processing
In the event of a data breach businesses must notify
the Data Protection Authorities within 72 hours.
All companies will have to adopt internal procedures
for handling data breaches. These requirements are
applicable to any sized business that processes personal
data for a commercial purpose, from a sole trader to an
SME to a multinational.
Don’t make the mistake that this won’t apply to your
business because of size, turnover or amount of data
held. SMEs and smaller business are expected to manage
their data flows and processes to the same extent as
larger companies. Whilst some areas of the regulation
recognise that SMEs have fewer resources and reduced
capabilities and may well pose less of a risk to the privacy
of EU citizens, SMEs still can’t do nothing. They too have
to address the conditions of the regulation and become
compliant in as far as is possible.
Does my business need a Data Protection
Officer (DPO)?
One of the major changes that the GDPR will introduce is
a change to how organisations manage their internal
governance around personal data. The requirement for a
Data Protection Officer was originally restricted to
companies with 250+ employees. The final version has no
such restriction and companies are left with the
responsibility of deciding themselves whether or not the
requirement for a DPO applies to them. Given the hefty
fines involved if an organisation fails to meet this
requirement, this is a daunting consideration.
GDPR:
Time to Act
25th May
Technology for Business
3. e. hello@novi.ie t. +353 (0) 1 621 8633 novi.ie
So what factors do you need to consider to
determine if you need to appoint a DPO?
The GDPR states that any company engaged in ‘large
scale’ data processing must appoint a DPO. The question
that many companies are asking is: what constitutes
large scale? To reach an answer, companies need to look
across their organisation at the data that they are
collecting, storing and processing. They must assess this
data in terms of volume and scope, including its
geographic reach, the duration it is held and whether
it is of a personal or sensitive nature as regards ethnicity,
religious views, health or criminal convictions. It is also
important to consider whether or not the processing of
the data constitutes a core activity in their business and
if monitoring of this data is regular and systematic.
A good example, in terms of the scale of data processing,
is the data held by an individual GP or small GP practice
as opposed that held by a hospital. In this case both meet
the requirement in terms of the personal nature of the
information held, but clearly the hospital would be large
scale and the GP not large scale.
Another example would be a large insurance company
where the capture and processing of personal data such
as financial information would be a core activity versus an
independent broker where it would also be a core activity
but not on a large scale.
Also consider an online retailer that captures financial
and address information regularly and systematically
versus a company that maintains an email mailing list and
only holds email addresses and names captured in an ad
hoc nature.
Simply put, currently the criteria
for a dedicated DPO is somewhat
unclear. Companies need to show
discretion in their decision as to
whether or not to appoint a DPO
while also showing caution to avoid the risk of significant
penalties. Remember that your understanding of “large
scale” doesn’t necessarily match that of the Data
Protection Authorities.
If you are unsure about
appointing a DPO it would be
advisable to take advice from a
company offering GDPR
consultancy.
Of course, it has always been, and remains, good practice
to have someone in your organisation with responsibility
for handling Data Protection issues.
Is ‘large scale’ relative to overall company
size or to the scale of data processing within
the firm?
The purpose of the GDPR is to enforce greater privacy
and protection of personal data for the individual. If
companies are capturing and processing significant
amounts of data on a large number of individuals then
this constitutes large scale data processing, regardless of
the size of the company in terms of either profitability or
employee numbers.
IS GDPR only for B2C? What are the
consequences for B2B companies?
Although B2B companies may not capture and process
an individual’s data on as significant a scale as some B2C
companies, the GDPR still has consequences for them.
Most B2B companies will undertake email marketing as a
way of reaching out to prospects. Under current law, you
can send an unsolicited email to an individual’s work
email address unprompted, once you have an option to
unsubscribe. Under GDPR you will need their prior
consent and furthermore, must be able to show proof of
consent. You will also be required to delete their data
25th May
Technology for Business
GDPR: Time to Act
4. e. hello@novi.ie t. +353 (0) 1 621 8633 novi.ie
after a set period of time under the ‘right to be forgotten’
directive contained in the GDPR. This and other
requirements, such as ensuring opt-in forms and
processes are compliant and consistent across the
organisation, now means that B2B companies need to
look at their current data governance function and adapt
it to ensure compliance.
B2B companies are also as open
to a data breach as any other
organisation. In the event that
they fail to report a breach, or
are found to be lacking in their
cyber-crime prevention strategy,
they will face the hefty penalties
laid out by the GDPR.
What’s the big danger for Irish SMEs?
The big danger for Irish SMEs is complacency and ‘it
won’t happen to me’ thinking. We see this regularly in
relation to cyber security – SMEs thinking that cybercrime
is reserved for bigger organisations. SMEs can’t afford to
think that they won’t be subject to the GDPR rules or held
accountable for any breach of these rules. The reality is
that this law will be wide reaching and enforced with
rigour, and SMEs will have nowhere to hide should they
be negligent in enforcing its requirements. SMEs would be
well advised to start preparing for the arrival of the GDPR
now, specifically in relation to the implementation of data
protection and cyber-crime prevention solutions. In order
to avoid GDPR penalties, SMEs must have their data well
protected with robust, fail-safe security solutions and
procedures in place.
What should I do next?
Inform your team – Make sure you raise awareness
internally of the change in the law. Identify the key people
in your organisation that can assist in the journey to
compliance and enlist them on the project.
Data review and audit – Conduct an internal review and
identify where data is held, e.g. HR records, supplier
contracts, financial records. Review how data is
processed and who has access to it. Document all the
findings.
Review your internal processes – Review your privacy
notices and data collection processes to ensure they
cover all the rights an individual has, especially around
consent to collect and hold their data.
Adopt privacy by design – Document and implement
methods to ensure that data protection becomes a key
component of the internal processes of the company and
is seen to be a key consideration in the early stages and
throughout the lifecycle of any project.
Appoint a Data Protection Officer – Consider appointing
someone within your organisation to take responsibility
ongoing for data compliance and protection.
Secure your data – Put systems in place to protect your
data from a security breach. Map technology to the
processes required to ensure compliance on an ongoing
basis. Work with a cyber security solutions company who
can put solutions in place that will identify weak links in
your network that could leave you vulnerable to attack.
25th May
Technology for Business
GDPR: Time to Act
5. e. hello@novi.ie t. +353 (0) 1 621 8633 novi.ie
Managed Security Services from a trusted
provider can ease the pain
While GDPR compliance is not something that can be
achieved through technology alone, the provision of
‘State of the Art’ network security is clearly an essential
first step. To reduce exposure to the potentially crippling
implications of a serious data breach, it is necessary to
minimize both the number of network intrusions, and their
time to detection. And it is here that Novi can contribute
most to an organisation’s overall compliance efforts.
Novi’s cyber security service delivers reliable, high
performance and cost effective security as a managed
service, taking the headache away from companies.
As cyber threats are continually evolving and criminals
find ways to evade systems, the changing threat
landscape requires specialist expertise and a multi-layer
approach. Managing all of this in-house is a real challenge
for companies and many of them are migrating some or
all of the risk out of their IT departments into the hands
of professionals.
Along with our partners Fortinet, world leaders in
security, we utilise tools that are highly scalable, support
multi-tenant environments and provide robust,
single-pane-of-glass management to implement and
maintain a secure data environment.
Implementing Security Systems is not a once-off activity; it
requires ongoing monitoring and improvements as the
cyber criminal’s modus operandi moves at an alarming rate.
Our always proactive and highly
structured approach ensures
businesses never expose
themselves to unnecessary risks.
From initial engagement through to strategy,
implementation and support, we promise our customers
an unrivalled level of proactivity. Our service includes
24/7 network monitoring, as well as our unique offering
of weekly, monthly or quarterly scheduled,
Novi-subsidised onsite visits. In doing so, we reduce
unplanned system outages by 87% and helpdesk calls by
43% and reduce the risk of a cyber breach by an average
of 75%.
We work round-the-clock on our
customers’ behalves to prevent
data breaches which can result
in regulatory non-compliance,
as well as brand and
reputational damage.
Don’t delay GDPR preparations
Although mid 2018 may seem a long way off,
businesses would be well advised to start planning now!
Systems and processes take time to change.
The countdown has started!
To assess your business or organisation’s readiness for
GDPR visit https://www.gdprbenchmark.com/ a quick,
online self evaluation tool from Novi partner Microsoft.
GDPR: Time to Act 25th May
Technology for Business