GDPR’s Importance for Businesses
Data is an immensely valuable asset in the 21st century. In the era of digital economy, General Data Protection Regulation (GDPR) provides the lawful basis for companies to process personal data and mirrors the previous requirement to fulfil one of the ‘conditions for processing’ under the Data Protection Act 1998 (the 1998 Act).
GDPR will come into effect from 25th May, 2018 and applies to organisations located in the EU (including the UK), and also those outside the EU that may deal with EU companies, and process or hold data of subjects living in EU.
The EUGDPR official website states that GDPR applies to controllers and processers. “A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller”.
Many of GDPR principles are similar to the rules in the current Data Protection Act (DPA). Therefore, any company can use its compliance to the current DPA act as the starting point to prepare for GDPR. The major new requirements GDPR brings in are accountability and transparency, and businesses need to inform users upfront about their legal rules for processing their personal data.
Organizations that are non-compliant to GDPR can be fined up to 4% of the annual global turnover or €20 Million, which is the maximum fine for the most serious infringements such as processing customer data without consent. The fines are applied in a tiered approach and will affect both controllers and processors. Therefore, it is critical for businesses to be well aware of GDPR regulations and enforce them.
In order to prepare for GDPR, organizations need to be aware that no software vendor has one solution that can lead them to GDPR compliance. This process includes various stages that include:
- Mapping the organization compliance data. This may need an information audit.
- Identify the lawful basis of data processing activity in GDPR and document it.
- Audit the personal data you hold, process and share.
- Understanding the risks associated with GDPR and the possible impacts on business.
- Ensure that procedures cover all individual rights related to personal data.
- Have knowledge of possible fines that could be imposed due to non-compliance.
- Improving the privacy processes and organizations capabilities to secure data.
- Review how consent is sought and managed, making necessary changes if it is not compliant to GDPR.
- Understand when and how to implement privacy measures and assessments in your organization.
- Supporting the implemented security techniques with measures to improve information visibility and protection from possible cyber-attacks and data misuse.
- Implement the procedures to detect and report a data breach.
- Organisations should designate someone to ensure GDPR compliance, and assess if they need a Data Protection Officer (DPO).
- Knowing that an organization might need new procedures in place to deal with GDPR’s new transparency and users’ rights provisions. This can have significant implications related to technology, budget and governance.
- Identifying the specific GDPR regulations that can have the most impact on individual business models, as some organizations might be more affected from certain GDPR regulation changes than others.
- IDC has developed a self-assessment tool that can help organizations to prepare for GDPR.
(Disclaimer: This blog is written for Enscite solely for information purposes only. It is not intended, and should not be relied upon, to form the basis of any investment or other decision.)
Muhammad Kazim, a doctoral candidate in Cyber Security at the University of Derby
Muhammed’s research interests include cloud security, networks security and distributed systems. He is working as a Research Assistant with Enscite.