By Bethany Gordon
The GDPR (General Data Protection Regulation) will change how businesses operate when it comes into effect on May 25 2018. There’s a mounting sense of panic in businesses of all sizes, which will only develop as ‘GDPR-day’ nears.
GDPR faces us with one of those scenarios whereby failing to prepare you are preparing to fail, so be careful not to develop a false sense of security.
By first understanding more about GDPR, it will be easier to look at your business and “diagnose” your situation.
What is GDPR?
GDPR was developed by the EU to solve the data protection issues which have formed as the internet grows.
GDPR will better protect the personal data of individuals by setting more rigid data handling rules for businesses.
What will GDPR mean for my business?
While the GDPR regulations will have higher demands of companies with more than 250 employees, all companies, big and small will need to comply with new regulations regarding the secure collection, storage and usage of personal information.
Any business that fails to adhere to the core principals of GDPR could face fines as high as 4% of their global revenue.
How can I be prepared for GDPR?
There are a few things you should do now, to ensure you are compliant with GDPR before the regulations are implemented.
Learn as much as possible about GDPR.
GDPR is big news, which means there’s a wealth of information and resources available to help individuals and companies better understand what the regulations will mean for them.
A list of resources we found useful are listed in the resources section at the bottom of this page.
Get a better understanding of where your business stands.
Print a copy of the following GDPR Checklist from Hubspot: https://www.hubspot.com/data-privacy/gdpr-checklist
The checklist is broken down into 4 sections: Assessment; Project Plan; Procedures & Controls; and Documentation. Work through the checklist, ask questions, make notes. Every business is different but this practical guide will help you understand where your business stands in terms of GDPR compliance.
Consider adopting ISO 27001.
When GDPR comes into effect, large companies (more than 250 employees) are required to employ a Data Protection Officer (DPO), who will be responsible for ensuring a business collects and secures personal data responsibly.
Small companies are not required to hire a DPO. Because of the lack of dedicated data protection personnel, it is assumed they will struggle to meet the requirements of GDPR.
To comply with the regulation, and avoid crippling fines, small companies are advised to adopt best-practise standards, for example ISO 27001.
What is ISO 27001?
ISO 27001 is an information security standard. It is considered by many as the foremost and most secure of all the best practise information security standards.
ISO 27001 formally specifies how to establish an Information Security Management System (ISMS): which demonstrates confidence in the organisations approach to IS management among stakeholders and clients.
A business accredited with ISO 27001 will have the upper hand when GDPR comes into play, as the changes required when the regulations take effect will be limited.
While competitors scramble to make changes, the organisation that adheres to ISO 27001 can conduct its business with confidence.
Get ready, get set, go!
Digital Minister Matt Hancock has confirmed that even after Brexit – when EU regulations no longer apply in the UK ñ the UK Government will replace the outdated Data Protection Act (1988) with legislation that emulates the GDPR.
With this in mind, we would urge businesses not to wait for all this to pass. GDPR is coming, thereís no escaping it!
The sooner you begin preparing, the easier things will be when the regulations are implemented.
Ico.org.uk. (2017). Data protection self assessment toolkit. [online] Available at: https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment-toolkit/ [Accessed 24 Oct. 2017].
Lobel, B. (2017). Dealing with cyber attacks: Your small business will be affected. [online] SmallBusiness.co.uk. Available at: http://smallbusiness.co.uk/dealing-with-cyber-attacks-2538554/ [Accessed 24 Oct. 2017].
Nqa.com. (2017). ISO 27001 and GDPR Requirements | ISO 27001 | NQA. [online] Available at: https://www.nqa.com/en-gb/resources/blog/august-2017/iso-27001-gdpr-requirements [Accessed 24 Oct. 2017].
Preparing for the General Data Protection Regulation (GDPR): 12 steps to take now. (2017). 2nd ed. [ebook] Information Commissioner’s Office. Available at: https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf [Accessed 24 Oct. 2017].
FQM Ltd are a QHSE support organisation, providing managed services, businesses management systems, compliance software and training in various industries across the UK.