Fergal Crehan outlines a few simple first steps that will bring even the most unprepared business closer to GDPR compliance.
On 25 May 2018, the General Data Protection Regulation (GDPR) comes into effect. Businesses of all sizes will be obliged to ensure data security, keep records and train employees.
With just weeks to go to the deadline, many businesses still seem to be adopting one of two approaches: head in the sand, or head in a spin. The former is not ideal and the latter is really not necessary. The most important thing to remember is that there are obligations you simply cannot avoid – and, as far as the regulator is concerned, ignorance is no defence.
Fortunately, there’s still time to take the necessary steps to achieve compliance, avoid fines and keep the regulator happy.
‘Many businesses still seem to be adopting one of two approaches to GDPR: head in the sand, or head in a spin’
If your business is already data protection-compliant, the changes to your processes required for GDPR compliance will not be that onerous. A key difference pre- and post-deadline will be the size of the fine you are likely to incur if a data breach occurs.
Whereas the current maximum fine is in the thousands of euro, under GDPR it will be 4pc of global annual turnover or €20m – with the final decision on the size of the fine at the discretion of the regulator. The harmonisation of regulation across Europe that GDPR represents is likely to lead to a similar Europe-wide levelling-off in the size of fines. This will result in fines in Ireland going up, while those in the rest of Europe, where they have generally been higher, will be coming down. Even for smaller breaches, the stakes will be raised.
There are a few simple steps to take to quickly move even the most unprepared business closer to compliance.
The first is to understand exactly what data you hold, and where. Are there unused PCs in a storeroom somewhere that have never been cleared of data? Is customer data held on mobile devices such as smartphones? If so, are those phones synced to iCloud? (In which case, any data they hold will automatically be uploaded to the cloud – a function that should immediately be permanently disabled.)
The second is to deal with data that is no longer required. This doesn’t mean simply archiving it (where it could still be liable to a data breach) but purging it entirely through a secure method of deletion. You should also put processes in place to prevent any future build-up of out-of-date data through a routine of data deletion when it reaches a certain age.
The greater risk of theft of mobile devices is a major data security headache, and applying some form of device management is a wise precaution. This could include automatic remote deletion of data over a certain age, and the capability to remotely wipe all data if a device is lost or stolen.
Knowing that only more recent data is held on a device will not only limit and define the scope of the breach, but also provide damage limitation in terms of reporting the breach and any associated reputational embarrassment.
‘Once the fact of a data breach is in the public domain, embarrassment, loss of reputation and loss of business will be almost certain to follow’
GDPR is designed to protect your customers, but compliance also protects your business.
A data breach will result in a sizeable fine and the reputational damage alluded to above. In addition to reporting a data breach to the regulator, if it can’t be proven that, for example, a stolen mobile device was encrypted, then there may also be an obligation to inform every single customer whose data has been compromised. Once that fact is in the public domain, embarrassment, loss of reputation and loss of business will be almost certain to follow.
Limiting the consequences through GDPR compliance will protect your customers, your reputation and your business.
The potential business damage a data breach can cause means the responsibility for achieving GDPR compliance must be assumed at the highest level. While it’s essential to appoint a data protection officer, their role will essentially be advisory, and ultimate responsibility will lie with senior management.
Not keeping data any longer than necessary, not keeping data you don’t need or shouldn’t have, and keeping it secure, are all second nature to businesses that already have a culture of data protection compliance. For them, the necessary expertise will already reside within the organisation.
For businesses with a less-than-compliant track record, it will be necessary to seek expert advice either from their own legal department or from external advisers with lengthy data compliance experience. The regulator will want to see clear evidence that a robust data security policy is in place, that a data protection officer has been appointed, that regular staff training in compliance is undertaken, that self-auditing is conducted and that there are well-maintained written records to prove it.
This may all sound like an enormous challenge to achieve by May, but the consequences of not doing so are more enormous still.
Fergal Crehan is data protection manager at Three Ireland where he manages and advises on data protection and privacy compliance, leading GDPR readiness across the organisation.