No matter how forewarned you were about the impending General Data Protection Regulation; it’s likely preparations have felt somewhat like a sprint. With the far-reaching mandate soon to be in place, organisations have been rushing to overhaul their deeply-embedded data management systems in the hope of compliance come May 25th.
However, our advice to everyone who holds data is that this preparation should be a marathon and not just a sprint.
Businesses who hold data need to ensure that this data is nurtured, respected and taken care of so that the business can thrive and avoid being penalised by the ICO. This is not a situation that is going to go away after the 25th. This is the future and we all need to get used to it.
The cost of a misstep is significant, so any dash towards the finish line is more than worth the effort. But, the truth is, the GDPR game has barely begun. The sprint was just the warmup, while the heart of the matter must be handled like the long-distance event it is.
What’s New with GDPR?
The existing EU Privacy Directive already touches upon many of the areas of personal data protection, but GDPR will add a whole new level of detail to current policy. For those abreast of present regulation, adhering to the new requirements may not be such a tall order; but for those less accustomed, getting up to speed could – in itself – be exhausting.
Particularly given the labour-intensive documentation required for staying the right side of the law; and the fact there is no hard-and-fast ruleset to illustrate exactly what it means to be ‘GDPR-compliant.’
It’s a matter of keeping up with best practice; while keeping an eye on how your internal data management systems evolve.
With traditional certification – say, ISO or SOC – companies adhere to a certain standard and are then awarded the appropriate piece of paper. However, with GDPR, organisations are given guidance as to what is expected, but it is up to each entity to determine exactly how to follow advice – without anyone to confirm the right actions have been taken.
Moreover, the regulation could be liable to evolve as time moves on, while interpretations of one legal term today could be construed differently tomorrow.
The principal risk of GDPR is assuming just because you have taken the necessary steps to arrive in a compliant step now; you will remain that way for the foreseeable future. The vagary of the system requires a more long-term outlook – and legal counsel is always advised.
Processor vs Controller – Why Does it Matter?
A major step towards GDPR compliance is ensuring you have a robust, scalable, and transparent system that satisfies conditions according to the way you utilise personal data.
Data Processors collect and process data on behalf of a Data Controller; while the Data Controller decides on the actual purpose of the processed data. It is entirely possible a single organisation covers both roles – so, it is vital businesses understand on which side of the fence they stand, if not both.
Once this element is understood, organisations can then establish their future data processing agreements. Plus, guarantee they have the right processes in place that will keep them in-line with GDPR over the long-term.
Critically, the above definitions can apply to any organisation which controls or processes personal data; from large multinationals down to a single-employee e-commerce store. If you are collecting or using data for any sales, marketing, or communications purpose, you must stay on top of the regulation.
Handling a Breach
The most significant overhead from GDPR may come in the form of ongoing oversight of systems, processes, and security: for should any breach occur, companies have just 72-hours to notify the authorities.
The process in itself has a raft of procedures and expected disclosures, so internal systems must remain alert to potential threats. More-to-the-point, enterprises must alert all those affected by the data breach without delay, further raising the stakes in the regulatory long-game.
After all, a data breach is a high-stress environment, and when timelines are tight – with the answers key – only a transparent process will win out. For this reason, you must maintain clear policy and highly-trained staff so that you can respond in a time-appropriate manner.
Moreover, a well-structured – and well maintained – data management solution will simplify the audit process in the event of any calamity.
Maintaining a Steady Pace
GDPR is going nowhere. So, you must treat it as a central consideration in the future of your business. This includes maintaining open communications with those in control of data policy, with your IT team, and with legal – as well as ensuring the wider business remains aware of expectations.
For example, your HR team must appreciate their responsibility in the context of protecting employee information.
GDPR is a substantial responsibility for the entire organisation – from executive-level right through to the operational side. As such, the most prepared companies have embraced the regulation into their long-term strategy, with the appropriate mitigation programs to manage risk – no matter how the landscape evolves.