The General Data Protection Regulation (GDPR) is part of a wave of new legislation due to come into force on 25 May this year. Sarah Pearce, partner at law firm Cooley, offers a schedule of actions to get your business ready for it
Business’ overriding concern about GDPR (aside from its extra-territorial scope) and the aspect that has been hitting the headlines, are the sanctions for non-compliance – more specifically, the potentially huge fines.
The degrees of non-compliance will of course vary but, generally speaking, if you violate the law, (eg mishandle data or experience a data breach), the GDPR gives regulators the authority to impose fines of up to €20 million or 4 per cent of worldwide annual turnover (whichever is greater). Non-compliance could also delay or cause you to miss out on a key transaction or investment opportunity.
Some of the new requirements (legal, technical and operational) are significant and may take time to implement. So, with just over 5 months to go, how ready are you?
According to the latest statistics, only 5 per cent of companies believe they are compliant with the requirements and 27 per cent of those were not confident they will be ready by the time the GDPR kicks in.
Don’t worry, if you get on it now and follow the steps outlined in the suggested plan below, you can be well on your way to being GDPR-ready by 25 May 2018.
January: Raising awareness
- Gather a GDPR team (this is a multi-stakeholder issue) and appoint a Data Protection Officer (not always required but advisable) to lead
- Involve management across the organisation and engage the board as soon as possible – allocate budget
- Conduct data protection and cybersecurity training
January – February 2018: Information gathering/gap analysis
- Conduct GDPR survey: information gathering exercise to identify what personal data the company holds/has access to and where – inventory
- Gap analysis: map data flows against GDPR requirements to identify any gaps
- Develop Implementation Plan: identify and prioritise actions (risk based)
March – May 2018: Implementation
- Review/prepare/update: privacy policies and other policies; other notices (internal and external); contracts with third parties; internal practices, processes (data handling, data security, incident response) and record keeping
- Seek out GDPR-compliant technology: develop strategies for privacy by design and by default (minimise processing/retention; use encryption and pseudonymisation where possible)
May 2018 and beyond: Monitor and maintain
- Regular training across the business
- Regular monitoring of updated systems, policies and procedures
- Regular (yearly) data protection impact assessment