GDPR – is your company ready?
On 25th May 2018 the EU General Data Protection Regulation will come into force. It will have far reaching consequences for your business and the way you handle your customer’s personal data.
The General Data Protection Regulation (GDPR) updates the current Data Protection Act. It is more extensive in scope and application, creating a single EU regulation that overrides the complicated data protection regulations of various EU countries. Irrespective of Brexit negotiations, the UK will have to abide by the new GDPR regulation and the UK government has confirmed that the regulation will apply.
What are the main changes?
- If your company is not in the EU you will still have to comply
- Heavy penalties of up to 4% of annual global turnover or €20m can be levied.
- What constitutes personal data is much broader
- The ‘valid consent’ rules have changed, especially for children
- You may need to employ a data protection officer
- There is a right to be forgotten
- There are new requirements for notifying if breaches occur
- New regulation around data portability and international data transfers
To find out more call 0333 800 8800.
“If your organisation can’t demonstrate that good data protection is a cornerstone of your business policy and practices, you’re leaving your organisation open to enforcement action that can damage both public reputation and bank balance. But there’s a carrot here as well as a stick: get data protection right, and you can see a real business benefit.”
How can CCE help you with GDPR?
CCE hold accreditations from the world’s leading vendors of software and hardware. By working with CCE and our partners, we can help you on the way to being as compliant as possible with your IT infrastructure, software, storage & security.
Ask yourself these 7 questions:
1. How ready are we?
Raise internal awareness and get resources planned and on board for implementation. Conduct a risk assessment to measure your company’s technology and readiness to comply.
2. Where is information & sensitive PII (Personally identifiable information) held?
All formats must be addressed, hard copy, audio, visual or alphanumeric. You will need to be able to unify records to provide a complete view of a single customer. Understand how sensitive PII is used and moved between databases and applications.
3. How will I respond to legal matters arising from PII under our control?
Ensure your legal policies and procedures are in place to meet requirements. Evaluate the technology used to isolate and deliver a 360 view of any given customer or person, so that either counsel or compliance officers receive the information required.
4. How can I ensure sensitive data is protected, stored and backed up securely?
Evaluate the effectiveness of your total records management and determine whether your existing backups safeguard PII. Review your retention policy enforcement for the defensible deletion of data.
5. How can I identify information for disposition, in accordance with the “right to be forgotten?”
Gain legal advice as to how PII is defined, deploy a policy enforcement tool and establish a process that can be monitored and audited for compliance.
6. Can I report a breach within the 72 hours required?
A comprehensive and defensible policy and system needs to be in place. The security breach alerting mechanism must be provided in the form of technology-assisted monitoring and well-trained compliance staff are needed to use appropriate technology to report as required to national Data Protection Regulators.
7. How can I reduce my overall risk profile?
Perform a sound and rigorous risk assessment of policy, procedure and technology. Invest in technology as required to achieve risk reduction. Establish both proactive defences and post-event handling to protect corporate reputation and avoid both fines and business-limiting criminal enforcement.