Skip to content

Implementing a GDPR strategy: What you need to know

business person gdpr

Simon Kouttis, head of cybersecurity at Stott and May, explains what you need to know about the upcoming GDPR.

The European Commission’s General Data Protection Regulation (GDPR) is coming into force on May 25, 2018. With this comes new rules regarding the collection and processing of personal data which will affect some 508 million EU residents – and any organisation that handles their information.

According to a survey from Close Brothers, only 4% of British companies understand the potential impact of this legislation. They would do well to get up to speed.

In less than two years’ time, businesses will have to gain the explicit, stated consent to collect an individual’s data. They will need to wipe this data after a prescribed period of time, and individuals will need to be made aware of how this data will be used, and of any rights they have pertaining to its processing. In the event of a serious breach, companies will need to inform the Information Commissioner’s Office within 72 hours – as well as anyone impacted by the intrusion.

There is much, much more, and any businesses thinking the recent Brexit vote gets them off the hook will be sorely disappointed. Come 2018, If your company markets goods or services to any of the European Union’s member states, or if you handle any of the data of its 508 million residents, it’s subject to these rules.

The US, New Zealand, Morocco; wherever your business is, it’ll likely be affected. Failure to comply with certain stipulations could result in fines of up to €20m or 4% of annual international turnover – whichever is greater.

It’s an uncomfortable development for homegrown enterprise, and one that’s likely to be quite expensive: the Department for Justice estimates that compliance will cost UK businesses £2.1bn over 14 years.

If you run one of these businesses, you shouldn’t despair yet: you’ve got two years to prepare for these new rules and become fully compliant. Nonetheless, it’s worth getting the ball rolling with your GDPR strategy – time is very much of the essence.

Review your data

The most stringent parts of the GDPR relate to information collection and protection. It’s an unfortunate, but unavoidable truth that you’re going to have to rethink the way you process and store information.

In some respects, this was kind of necessary anyway – though if you resent the EU for forcing the issue, few would blame you. The age of big data has been largely positive, but it’s also led to a culture of collecting information for no discernible business purpose: a survey from Pure Storage found that 72% of businesses amass information that they never use later on; 22% of those queried said they do it “often”.

Embed the GDPR into your existing strategy

Under the GDPR, doing this will be illegal. Again, it’s perhaps unnecessarily harsh, but if it forces you to streamline your data collection processes, it might have a positive outcome.

Start doing this now, and integrate the GDPR into your existing information security strategy.

Review the way your organisation accumulates and handles its user’s records. What data do you have? Where is it stored, which internal and third-party stakeholders have access to it, and how well is it protected?

Make sure you’re not handling anything you don’t strictly need, and have a process for informing users that you intend to use their data and obtaining their consent.

Prepare for the worst

When you have good answers to these questions, you can set about revamping your existing security strategy.

In particular, it’s necessary to work out how your company is going to handle a data breach. While you’ll almost certainly have security measures in place already, compliance is only one part of the equation.

You’ll need to conduct an impact assessment to ascertain any risk associated with processing, and in the event that your systems are compromised, you’ll need to notify the authorities and the affected users.

Arguably the real problem, however, is reputational damage. Consider the recent TalkTalk scandal.

The company was completely unprepared for the damage that was done – it charged customers £250 to quit the service, and chief executive Dido Harding refused to apologise for it – and was more or less deservingly butchered by the media for it.

Always assume that a breach is imminent. Have holding pages and statements ready in draft form on your website so you can release a quick, detailed, and suitably apologetic response to any potential breach or loss.

The GDPR demands that you keep customers informed, so in many respects, the way you deal with a violation is more important than the violation itself.

Hire or expire

Of course, prevention is the best cure, and strategic hiring will invariably play a key role in ensuring compliance and protecting any information you process and hold.

Much has been said about the potential role a Data Protection Officer (DPO) might play.

Even if you do hire a DPO, you shouldn’t stop there. It’s important to remember that these employees are there to ensure adherence to the GDPR, not create a culture of protection.

They’ll tell you which forms to fill in, which processes you need to follow, but they won’t tell you anything about encryption, storage, or network segregation in the same way that a Chief Information Security Officer (CISO) can for example.

In all the talk of compliance, it can be easy to forget that this legislation is supposed to be about protecting data and mitigating potential danger.

Hackers don’t particularly care about the GDPR: they’ll target rule-breakers and rule-abiders alike.

Hiring, customer relations, and security shouldn’t be box-ticking exercises (though you will inevitably have to tick these boxes): it’s in your interest to use data correctly, be transparent with consumers, and safeguard your most vital systems.

Whatever the EU says, you should never lose sight of that.

Topics

Register for Free

Get daily updates and enjoy an ad-reduced experience.

Already have an account? Log in