The preparations you need to make ahead of GDPR
GDPR is only a few months away, and a lot of the coverage has focused on the impact the regulation will have on the IT and finance departments in businesses. Whilst it’s true that GDPR compliance should be driven largely by finance and IT departments, there’s more to it than that.
One area where there’s little clarity is whether businesses are required to hire more staff. The Data Protection Officer (DPO) role is covered in the regulation document, but many argue it’s unclear whether this is necessary for their business; Privacy International comments that the bill is "unnecessarily complex".
Some businesses are required to appoint a DPO including public authorities, businesses that process special categories of data (such as criminal convictions and offenses) and organizations that "carry out large scale systematic monitoring" of people, like website traffic tracking software companies. The Article 29 Data Protection Working Party, an advisory body designed to support compliance with the Data Protection Directive, advises businesses to assume they do need a DPO unless they can prove otherwise.
Many businesses aren’t aware that the requirement of the DPO needn’t change their headcount. Businesses can appoint the role of DPO to an existing employee, providing they have the right skills and knowledge to take on its responsibilities. It’s also possible to appoint the role of DPO to an external consultant, and therefore ‘share’ the person with another business -- effectively outsourcing the role. This could be particularly effective for small-to-medium businesses that don’t have an employee who could naturally take on the DPO role, or the budget to hire an additional person.
For some time, there has been confusion over whether small businesses -- designated as those with under 250 employees or 5000 records -- needed to appoint a DPO at all. This originated from an early draft of the GDPR which suggested ‘large scale’ data processing was based on the aforementioned figures. Senior Technology Officer of the Information Commissioner’s Office (ICO), Peter Brown, clarified this recently by stating: "I’ve heard plenty of people talking about there being a DPO exemption for SMEs -- this is absolutely not the case."
Whether a business chooses to appoint the DPO as a brand-new position or assign this responsibility to an existing employee, there’s no doubt that GDPR compliance can be costly to businesses. Revising existing policies and processes, and indeed creating new ones, will be key to success under GDPR. Businesses must assess how they process customer, prospect, supplier and even employee data under the new regulation. GDPR states that businesses must have a "lawful basis" for processing specific types of Personally Identifiable Information (PII); this is aimed at reducing the unnecessary collection of personal data and protects individuals first and foremost.
For many businesses, the cost will be in employee time as staff in HR, compliance and IT must undertake the work of revising and creating processes. Some companies may need to outsource this work, if they don’t have the resource or the relevant teams. Colleagues in marketing won’t necessarily play a role in this exercise -- although, as data handlers their input would be valuable -- but may need to revisit contracts with external suppliers including email marketing platforms, lead generators and so on. A key requirement here will be to manage what the GDPR refers to as ‘data processors’; if your suppliers aren’t compliant, it’s possible that you’ll need to switch your services to a compliant supplier.
HR departments will likely be the most affected following IT and finance, as the GDPR gives both current and former employees more control over the data a business holds on them. HR personnel are likely to see an increase in subject access requests, where individuals can request access to the personal data held on them; this requires the ability to get an accurate picture of all of the data you hold on that individual. The subject can also request that their data be deleted if there’s no longer a reason to hold or process that personal data.
One area that will see significant investment is IT security. Businesses must put in place measures to protect the PII they hold. This protection can come in a number of forms including robust anti-virus products, and even threat-specific anti-virus solutions like anti-Ransomware. One security measure the GDPR specifically mentions is data encryption; this method protects particularly well against accidental data disclosure, for example an employee unknowingly emailing sensitive PII data outside of the business, or access to data on a lost or stolen device. Data encryption adds a vital extra layer of security beyond password protection, which can be hacked. Data can be encrypted at the file, system, email or even user level to ensure the appropriate levels of protection are in place.
It’s recommended that businesses adopt a multi-layered approach to IT security for the best level of protection. This should definitely include some level of data encryption, as it’s specifically referenced in the GDPR, reputable anti-virus software, network security and a robust firewall. An email provider that offers security, such as the ability to block sending certain files or information outside of the business, add peace of mind to businesses; whilst cyber-attacks are on the rise and hit the headlines daily, accidental disclosure accounts for 44% of data leaks (Verizon). The global WannaCry Ransomware attack also brought attention to the importance of supported, patched systems; it’s an easy and cheap (free, if you have an in-house IT team) solution that, until recently, had the tendency to be overlooked.
There’s no doubt that GDPR compliance will come at a financial cost to businesses, whether that’s appointing a new DPO, changing to compliant suppliers, or building up the defensive walls through cyber security additions. But businesses should see GDPR as an opportunity to improve their processes and security; the latter in particular is often at the bottom of the business agenda as it’s considered -- particularly by small businesses -- as unnecessary. But with the widespread nature of cyber-attacks on businesses of all sizes, there’s never been a better time to improve security.