The European Union’s data regulation initiative, the General Data Protection Regulation (GDPR), seeks to provide individuals with defined controls regarding their data. The GDPR also presents stricter rules and fines for companies who do not comply with the directive. It is prudent that you and your team assess the possible impact of GDPR on your organisation and begin adapting practices that complement the new data protection legislation.
Following these five tips can ensure that your business achieves EU GDPR compliance ahead of the fast-approaching May 2018 deadline:
1. GDPR Compliance Matters, Wherever You Are
Those companies handling or processing personally identifiable information on European citizens must prepare for the GDPR, even if they are situated outside the physical boundaries of the EU member states. Organizations that sell or market services or products in the EU, have EU-based employees, or are partnered with EU companies will be affected by the directive. All companies that qualify under the GDPR as data processors or data controllers will need to show evidence of staff training as well as monitoring. The staff must be well-aware of the potential reputational as well as financial risks if a data breach takes place.
2. Heftier Fines for Non-Compliance
Data protection regulators have significantly increased the fine for non-compliance with GDPR. Non-compliant companies can expect administrative fines to run up to either 4% of its global revenue or €20 million (greater than $30 million AUD), whichever amount is higher.
3.Hire a Data Protection Officer, Pronto!
Most businesses will be required to hire an individual to oversee data compliance and protection. The appointment of a Data Protection Officer (DPO) will be mandatory for those organizations that regularly monitor or process sensitive data on a substantial scale. Before hiring a DPO, leaders within the company should conduct an internal analysis. This activity will help determine to which extent data is being processed and the categories of data that is being compiled. If the group decides against hiring a DPO, there should be a documented record of the analysis to support that decision if asked by the regulator.
While speaking at a global conference, Timothy Pilgrim, Australia’s Privacy and Information Commissioner said that organisations should have a DPO, even if Australian law does not explicitly demand the position. He went on to say that Australian businesses should check if they are compliant with the Privacy Act 1988, as it is quite similar to the requirements laid out within the GDPR, especially in regards to compliance via the privacy-by-design approach.
4.Revise Data Handling Processes
With the onset of GDPR next Autumn, Australian businesses will have to bear greater responsibility in situations where data is mishandled, whether as a data processor or a data controller. The regulations have now armed data subjects, meaning private individuals, with the ability to take direct action in case of a data breach. Not only that, if any notable data breaches take place, the data protection authorities must be notified within 72 hours as well as the affected individuals.
As the GDPR seeks to protect all sorts of digital data, the implementation of ISO 27001 on the company’s Information Security Management System will help respond to this requirement. ISO 27001 provides means to ensure protection as advised by GDPR, including ‘Privacy by Design’ (ISO 27001 control A.14) and “Asset Management’ ISO 27001 control A.8. The adoption of ISO 27001 encourages awareness of security situations in the organization and how it affects both people and processes.
Organisations have to take on greater accountability where the use of personal data is concerned. This includes the regular maintenance of internal records, and a risk-based approach focusing on privacy impact assessments. What constitutes ‘personal data’ is also changing, as the definition is more expansive than before. ‘Online identifiers’ now include anything that may identify an individual, or link to an individual, including advertising IDs and cookies.
5.Making a Compliance Checklist and Checking it Twice!
The first priority should be to make sure all the key decision-makers and employees are made aware of the GDPR, its date of implementation and the impact it will have on business moving forward. An internally set benchmark to review pre-existing policies can be set for this holiday season. By January 2018, company leaders can set together to map out a compliance checklist that will ensure implementation of processes that address the new regulations, ahead of the deadline.
Any organisation that takes the initiative to review and determine its obligations and duties under the new data privacy legislation will ensure it is getting a head start on the GDPR.
Now is the time to start reviewing your arranagements for GDPR and implement an Information Security Management System that complies with ISO 27001:2013. What other tips have you come across for preparing for GDPR? Let us know as we're preparing an ebook with useful tools to assist Australian organisations.