General Data Protection Regulation is set to come into force on 25th May 2018. Irish organisations now have a limited amount of time to ensure compliance. If you’re wondering whether GDPR applies to your business then this blog is for you. And if you have more questions when you reach the end then make sure to attend IBM and Ward Solutions’ free seminar on 10th February in the Royal College of Physicians, Kildare Street, Dublin 2. More information can be found below.
Ward Solutions recently revealed its cyber security predictions for 2017. Based on our end of year review, these predictions outline various areas of focus for Irish businesses for the coming year. One key finding was that most Irish organisations do not realise the scale of the challenge to become compliant with the impending General Data Protection Regulation (GDPR) legislation, which is due to come into force in May 2018.
This prediction drew a lot of attention from the media, and for good reason: GDPR will have far-reaching effects on Irish organisations that handle personal data when it comes into force next year, and, because of this, it is set to be the central topic for discussion in information security in 2017. Organisations need to act now in order to ensure timely compliance.
Many organisations have underestimated the workload required to become compliant, and by the time they realise the scale of the challenge they will be forced to seek assistance from a limited pool of knowledgeable external resources. For this reason, achieving compliance in time will end up costing a lot more than they bargained for.
Acting now will ensure that companies can start 2018 safe in the knowledge that that they will not be liable for fines of up to 4% of annual global turnover or €20M, depending on which is greater. Perhaps even more significant is the fact that organisations that fail to demonstrate compliance will be directly liable to provide compensation to persons who have suffered material or non-material damage as a result of an infringement of the regulation. Taking the appropriate action now can ensure that companies avoid any such liability.
Organisations need to start by asking themselves a number of questions to establish their current position on the compliancy ladder. The following questions can help to provide you with a good estimation of whether or not you are ready for GDPR.
- Does GDPR apply to you?
First of all, it’s important to ask if GDPR applies to your organisation. Although there are a number of criteria, GDPR ultimately applies to companies that process the data of EU citizens, regardless of whether or not they have a physical presence in the EU. This is a change from the rules of the Data Protection Directive, the legislation which is being replaced by GDPR, and is an important aspect to be aware of.
- Do you know where your data is located?
The results of a recent survey conducted by TechPro magazine on behalf of Ward Solutions found that one-fifth of organisations don’t know where their data is located. GDPR will require companies to have increased oversight of where their data is stored, and where it flows as it travels through the supply chain.
- Does your organisation require a Data Protection Officer?
GDPR requires that all public authorities and any business involved in large scale processing of personal data must instate a Data Protection Officer in time for the legislation coming into force. Appointing a DPO will be a challenge for organisations, as the suitable candidate will be expected to have expert knowledge of data protection law and practices, while also displaying sufficient understanding of IT systems and processes, data security (including dealing with cyber-attacks) and other critical data security needs around the processing of personal data. As such, organisations should begin the recruitment process for this position as soon as possible, bearing in mind that it could take a significant amount of time to find the right person for the role. For some organisations, outsourcing the role to an external consultancy or legal firm with appropriate information security, cyber security and data protection expertise might be the preferred option.
- Can you demonstrate accountability?
Under GDPR, organisations will be held more accountable for the security of their data than ever before and will be expected to be able to demonstrate compliance with data protection principles. In order to safeguard their futures, organisations should, therefore, ensure that they have adequate records of all data processing operations and make sure that such records are being kept up to date.
- Can you comply with the new rights?
GDPR will also introduce a number of new rights for people regarding how companies handle their personal data. Chief among these rights is the so-called ‘right to be forgotten.’ This will allow people to demand that their data be erased on a number of grounds. Where the controller has made the personal data public, they are then also responsible for informing other controllers who are processing the data to erase links to copies or replication of the personal data in question.
- Have you privacy by design and default built into your business processes?
As well as the new requirements outlined above, the increased focus on data protection measures being introduced under GDPR legislation will require organisations to ensure that data protection is designed into the development of business processes for products and services. This is known as Privacy by Design and by Default. This stipulation also requires that by default, only personal data which is necessary for each specific purpose of processing is processed.
- Can you detect and respond to a data breach within 72 hours?
Finally, should your organisation suffer a data breach, GDPR will require that you notify a data protection authority within 72 hours of becoming aware of it. You will be required to identify the nature of the data that has been breached and the approximate number of people affected. What’s more, those directly affected by the breach may also need to be informed.
Failure to meet the 72-hour deadline is also taken into consideration and could put your organisation at risk of receiving an even higher fine.
GDPR is one of the most significant pieces of legislation of recent times to affect organisations whose core activities involve the processing of data. With a huge number of organisations now processing customer data on a daily basis, GDPR will set the tone for the majority of conversations about cybersecurity in 2017. To help Irish businesses better understand the legislation, IBM and Ward Solutions will host a seminar entitled ‘Will GDPR drive your security strategy in 2017?’ on Friday, 10th February in the Royal College of Physicians on Kildare Street, Dublin 2. Information security and privacy experts from IBM and Ward Solutions will highlight the considerations and prioritised Information Security activities that you need to be undertaking in 2017 in order to become GDPR compliant. The event is free to attend and those interested in attending should register now at https://www.ward.ie/insights-news/GDPR/