Business News

GUEST BLOG: Why you should be preparing now for GDPR

By Business & Finance
25 November 2016
data protection

By George O’Dowd, founder and managing director of Novi Technology

The EU General Data Protection Regulation (GDPR) comes into law on May 25th 2018. This may feel like a long way away but the obligations contained in the regulation are onerous and businesses need to be getting ready now.

The GDPR introduces stricter data protection rules for organisations that operate in the EU market and process or hold the personal information of EU citizens. This information ranges from email addresses, passport numbers, financial details, address details through to information relating to an individual’s religious or political beliefs.

The regulation will be applicable immediately once the date arrives so businesses are being given plenty of notice to get systems and processes in place so that they are compliant.

The GDPR is designed to increase the privacy of individuals and protect their personal data. Hefty penalties will be laid on companies who experience data breaches, some up to €20m depending on turnover and the amount of data being processed.

Businesses are well advised to begin now (if you haven’t already started!) putting in place procedures and systems that ensure compliancy and protection against potential data breaches.

As cyber criminals get smarter and find more and more ways to hack into companies’ databases the risk of a breach is increasing all the time.

Unprotected companies are not only risking their reputation with their customers but when the GDPR comes into effect they will also be liable to hefty fines in the event of a cyber-attack on their data.

WHAT ARE THE IMPLICATIONS FOR MY BUSINESS?

  • The GDPR places onerous obligations on companies to demonstrate compliance, requiring them to:
  • Maintain certain documentation
  • Conduct a data protection impact assessment
  • Implement data protection by design
  • Prove clear consent to process personal data

In the event of a data breach businesses must notify the data protection authorities within 72 hours. All companies will have to adopt internal procedures for handling data breaches. These requirements are applicable to any sized business that processes personal data for a commercial purpose, from a sole trader to an SME to a multinational.

The GDPR is designed to increase the privacy of individuals and protect their personal data

Don’t make the mistake that this won’t apply to your business because of size, turnover or amount of data held. SMEs and smaller business are expected to manage their data flows and processes to the same extent as larger companies.

Whilst some areas of the regulation recognise that SMEs have fewer resources and reduced capabilities and may well pose less of a risk to the privacy of EU citizens, SMEs still can’t do nothing. They too have to address the conditions of the regulation and get compliant in as far as is possible.

WHAT SHOULD I DO NEXT?
Inform your team
Make sure you raise awareness internally of the change in the law. Identify the key people in your organisation that can assist in the journey to compliance and enlist them on the project.

Data review and audit
Conduct an internal review and identify where data is held, e.g. HR records, supplier contracts, financial records etc. Review how data is processed and who has access to it and document the findings.

Review your internal processes
Review your privacy notices and data collection processes to ensure they cover all the rights an individual has, especially around consent to collect and hold their data.

Adopt privacy by design
Document and implement methods to ensure that data protection becomes a key component of the internal processes of the company and is seen to be a key consideration in the early stages and throughout the lifecycle of any project – be it a new IT system or sharing of data or using data for new strategic purposes.

Appoint a data protection officer
Consider appointing someone within your organisation to take responsibility ongoing for data compliance and protection.

Cyber security as a service delivers reliable, high performance and cost effective security as a managed service, taking the headache away from companies

Secure your data
Put systems in place to protect your data from a security breach. Map technology to the processes required to ensure compliance on an ongoing basis. Work with a cyber security solutions company who can put solutions in place that will identify weak links in your network that could leave you vulnerable to attack.

Security as a service to ease the pain
Cyber security as a service delivers reliable, high performance and cost effective security as a managed service, taking the headache away from companies.

As cyber threats are continually evolving and criminals find ways to evade systems the changing threat landscape requires specialist expertise and a multi-layer approach. Managing all of this in-house is a real challenge for companies and many of them are migrating some or all of the risk out of their IT departments into the hands of professionals.

Implementing security systems is not a once off activity, it requires ongoing monitoring and improvements as the cyber criminal’s modus operandi moves at an alarming rate. A good cyber security firm will utilise tools that are highly scalable, support multi-tenant environments and provide robust, single-pane-of-glass management to implement and maintain a secure data environment.

Don’t delay on the GDPR
Although mid 2018 may seem a long way off businesses would be well advised to start planning now! Systems and processes take time to change. You can’t ignore the GDPR and you can’t afford to get it wrong. The countdown has started!

George O'DowdAbout the blogger

George O’Dowd is founder and managing director of Novi Technology.

Novi offers a wide range of IT managed services and proactive IT Support to SMEs across Ireland.

George founded Novi after a successful career in Intel managing large scale IT projects. As MD of Novi, George is responsible for the daily strategic management of the company, ensuring that the business value of the Novi solution set is maintained to position customers for future growth.

George also oversees all aspects of customer engagement to ensure all customers whether new or established receive first-class service.