By Hazel Freeman, Managing Principal Consultant, Consulting Services, Pulsant
With just six months to go until the final deadline for GDPR compliance, the media is rife with stories related to the regulation. Indeed, GDPR is dominating business conversations. Yet questions remain; do organisations understand the implications, are they ready for compliance, how will business be affected? There has also been a fair bit of scaremongering in stories in the news, particularly around the new (steep) fines that may be levied against organisations that experience a breach or don’t comply.
There has also been a strong focus on the changes for business. Let’s take a step back and remember that the implementation of GDPR is a good thing — its aim is to protect EU citizens from privacy and data breaches, improving their existing rights. The regulation has been in the works a long time, but it is building on (and improving) the current set of regulations. So while there have been changes, it is important to keep in mind that for many organisations they have already been building up to this point because they’ve complied with the previous, existing legislation.
Going back to the issue of fines — yes, they will be steeper (up to 4% of annual global turnover or €20 million, whichever is greater) but as the Information Commissioner’s Office (ICO) points out, fines are a last resort. In today’s shifting cyber threat landscape, it’s fair to say businesses won’t be able to avoid breaches. Instead, they should focus on mitigating the risk of a breach, and ensure they have the controls in place (by implementing frameworks such as Cyber Essentials Plus or the IASME standard) to deal with them.
Moving ahead to May 2018 and the compliance deadline, organisations also need to consider the human element to GDPR — acknowledged as the weakest link in cyber security, staff need to be educated and made aware of how the new regulations affect them. They need to understand what they need to do (and not do) under GDPR, much like they were operating under the previous legislation.
Two other key issues, consent and reporting, play a role in the ongoing risk mitigation. Looking at consent, if organisations want to process personal data, they need to not only gain consent in a transparent manner, but also make it simple for consumers to withdraw that consent. The purpose of this is, not to make life more difficult for businesses, but to raise the bar to a higher standard for consent, according to the ICO.
The same can be said of reporting. Once a breach has occurred, organisations need to report it if it will affect people’s rights and freedoms. And again, according to the ICO, the new reporting structure will change the way businesses and the ICO itself identifies, deals with and responds to personal data breaches.
So the question remains — are you ready for GDPR? If the answer is no, or I don’t know, or you just want an independent opinion, there are a number of resources you can make use of to help your organisation ready itself for the May 2018 deadline. Pulsant understands the challenges your organisation faces and we’re already working with a variety of other businesses, helping them understand their requirements and partnering with them to achieve compliance.
To find out more on how we can help you, get in touch.