GDPR: Are you ready?
PUBLISHED: 10:06 17 April 2018 | UPDATED: 10:06 17 April 2018
Everyone's talking about GDPR - the General Data Protection Regulations coming into force on May 25 this year. How is your business preparing for the new legislation?
The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals in the European Union.
It addresses the export of personal data outside the EU. GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
When GDPR takes effect, it will replace the 1995 Data Protection Directive (Directive 95/46/EC).
It was adopted on April 27, 2016. It becomes enforceable from May 25 this year, after a two-year transition period.
Unlike a directive, it does not require national governments to pass any enabling legislation - and so it is directly binding and applicable.
Five ways to get GDPR compliant
When it comes to complying with the new General Data Protection Regulations, it’s not too late to take action.
Salpo Technologies, based in Cheltenham, offers businesses five top tips to avoid falling foul of the new legislation.
By May 25, all businesses will need to have made sure they have contacted all individuals they currently hold contact details for and ask them to provide explicit consent on the data that you hold on them, the way the company uses this data and therefore how they can be contacted.
Companies then need to be able to make sure that you can show how and when this consent took place.
Five steps to compliance:
1. Have a look at the ICO’s 12 step document which outlines practical steps to achieving compliant data. This can be found here.
2. Attend some of the GDPR webinars that are currently being run across different industries
3. Take time to understand your current business processes. You especially need to document details such as:
• Where you store your existing customer contact details
• How you store this information and how the data is currently used
• The methods by which you communicate information to your customers such as email platforms and telesales campaigns
• How you will deal with customer requests for details on the data that you hold on them and how you will manage requests to amend this data or contact permissions
4. Make sure that everyone in your company knows what GDPR is, how it might affect them in their day to day roles and what plans they need to have in place to deal with these changes
5. As mentioned earlier, reach out to your software providers - where this software handles customer data - and find out what plans they have in place or have already implemented in order to help with GDPR compliance. You can then identify and fill gaps in your data protection plan.
Am I doing enough?
Worcester-based ISO Quality Services Ltd is an independent organisation that specialises in the implementation, certification and continued auditing of ISO and BS EN Management Standards. It also offers ISO / BS consultancy, training and internal auditing.
Does having an ISO Standard mean I’m GDPR compliant?
In a word, no.
Even having the Information Security Standard (ISO 27001) doesn’t make you fully compliant, although it helps significantly.
Although we can help you achieve compliance in three different ways (as outlined below), every business including those running internationally recognised management systems will need to take steps to review their data and update their policies and procedures.
Why is GDPR a buzzword at the moment?
GDPR is a beefed up version of Data Protection. It has been a regulation for a while but becomes legislation on the 25th May. That’s when businesses run the risk of big fines from the ICO Information Commissioner’s Office. The potential fines for failing to comply with GDPR could reach up to €20 million or 4% of the group worldwide turnover (whichever is the greater) against both data controllers and data processors. Whilst GDPR will apply from May 25 2018, it is an ongoing matter that your business will need to continually comply with.
We don’t know what to do, can ISO Quality Services help?
Whilst GDPR can seem a little daunting, here at ISO Quality Services we pride ourselves on keeping it simple. Whether you’ve been putting off your GDPR preparations or have made a start but feel you require guidance, ISO Quality Services can help in three ways:
1. GDPR training
We offer a one-day interactive workshop that uses business scenarios to introduce the new legislation and provide an overview of the steps that businesses will need to take as dictated by law to become compliant.
By the end of the day, you’ll be able to:
• Understand what the EU GDPR is and why the law is changing.
• Explain what has changed from the Data Protection Act 1998 and what is expected going forward.
• Understand what the impact of the EU GDPR means for your business.
• Be able to formulate a plan of action.
2. GDPR consultancy
We appreciate that every business is different and each will manage their data in different ways. We can therefore arrange for one of our GDPR consultants to come into your business and provide one-to-one guidance tailored for your needs.
To explore this option, call us on 01905 670303 or email email@example.com.
3. We can help you implement ISO 27001
Businesses with ISO 27001 are already half way to achieving compliance. Certification is normally achieved in eight weeks, regardless of the business size or sector.
One of our expert auditors will carry out an initial assessment. This process involves a gap analysis, identifying areas of non-compliance, recommending areas of improvement to meet the requirements and the gathering of information to compile documentation.
Once you are certified, we work with you to ensure you stay on track. We help you monitor your progress with a six monthly review from our expert auditor and an annual recertification audit. We also provide over the phone support all year to help you keep on top of things.
I already have ISO 27001, do I need to worry about this?
You do, but you’ve already got an advantage in that many of the processes within ISO 27001, such as disposal of media and security of equipment, are great best practice for complying with GDPR. If you require any help, we can arrange for one of our consultants to conduct a gap analysis to help bring you up to compliance. Alternatively, take a look at one of our upcoming GDPR training courses.
We’re an existing client, is GDPR included in our package?
The GDPR is not a change to an international management system, it’s a fundamental shift in the way data is used and stored within your business’s operations. As such, we cannot issue an update to a manual to help you achieve GDPR compliance.
To give another example, if we help a client run a BS 18001 Health & Safety management system and new H&S legislation comes in, such as a change to manual handling, our client will still need to make operational changes to ensure compliance with the new legislation.
Take your time: Get it right
William Stebbings is a Senior Associate Solicitor at business law firm Sherbornes Solicitors. He has practised commercial law for 38 years and has a special interest in data protection, Intellectual property and competition law.
GDPR has taken on some kind of mystical unfathomable status that it does not deserve. It’s clear why so many small business owners are worried about it. It cannot be codified into a simple list of numbered rules and many advisors are frightening businesses in an attempt to win business.
However, it does not deserve the status of number 1 worrying risk for a business and it can be solved fairly easily with a simple, methodical approach. The key message is not to rush and get it wrong.
The Information Commissioner has stated very clearly that she is growing tired of the scaremongering and that, as long as you are compliant with the old regime, and are genuinely working towards complying with the new, she will not penalise any business during the first 12 months. So, slow down and get it right, as this leniency won’t last forever.
• Start working toward compliance now, if you haven’t started already. It will take some time.
• Document each step you take, so that if you do make a mistake in the future, you can show that it is not because you have failed to take GDPR seriously.
• Conduct a Data Audit. Get your senior managers involved and document all forms of personal data that you hold. This could be email addresses, CCTV footage, names and addresses, payroll information. List it all, no matter how trivial.
• Once the audit is complete, identify for each class of information, whether and how you process it.
• Identify for each type that you process, the reason that you process it. There are 6 permitted reasons. It may be hard to change the reason at a later date, so it’s best to get this right. The 6 reasons are:
1. Consent of the individual
2. Contractual necessity
3. Compliance with a legal obligation
4. Protection of an individual’s vital interests
5. Performance of a public task
6. Legitimate interest
• Perform a risk assessment (very similar to a health and safety risk assessment) to identify what risks there are to the data, and how you can eliminate or minimise these risks.
• Review your contracts, policies and procedures to include the measures that reduce or illuminate your risk.
• Train key staff on the changes and their obligations.
It’s little more than a route map. There are numerous professional firms out there willing to help you with the process, but don’t just buy a set of policies that are described as GDPR compliant, because without the above process, they can’t necessarily be compliant and useable. Take time and care, and get it right.
Coming, ready or not
Brightman, the Gloucestershire-based IT consultancy, is running an initiative to provide free GDPR support to local charities.
Southmead Community Centre in Bristol is just one of the charities to benefit from Brightman’s complimentary GDPR service, which consists of consultancy and workshops over a number of days.
Brightman feels strongly about giving back to the community, and its “Helping Hands” programme is aimed at offering free advice to charities on a range of topics that could affect their business. GDPR is the first topic to be supported under the Helping Hands initiative.
Brightman is asking for other charities to register their interest in the service on their website here.