By Lindsay Lucas is Managing Director of Software Solved
The introduction of the General Data Protection Regulation (GDPR) in May 2018 represented the culmination of years of effort to create a fit-for-purpose compliance programme. The purpose of GDPR is to strengthen privacy rights by making organisations more accountable for how they collect, store, protect and use personal data.
While many companies within the regulation’s scope fine-tuned their strategies in order to ensure compliance, others are still even now playing catch-up. GDPR is likely to be a hot topic for years to come and companies that lack robust, long-term compliance policies may need to allocate more resources to plug gaps to avoid the penalties associated with non-compliance.
Why GDPR is a starting point and not a conclusion
GDPR’s introduction should be seen more as a starting point than a conclusion. Now that the organisational structures are in place and the processes are defined, companies need to ensure that they execute their policies and best practices efficiently and effectively on a day-to-day basis.
GDPR has set a new standard for consumer rights regarding their data, and companies have been challenged as they put systems and processes in place to maintain ongoing compliance. Just because companies have implemented a GDPR strategy this doesn’t mean that the job is complete and companies need to look at ways to understand where their data is and how to protect it going forward.
The regulation is not a tick box exercise and compliance does not mean that companies rest on their laurels. There needs to be a constant review of the processes in place to ensure that data is being handled responsibly.
What are the challenges?
Companies are facing different challenges. For example, some data-intensive businesses struggle to find a practical and efficient way of keeping data processing records up-to-date in the long-term due to the fact that every customer, employee and contractor brings a wealth of personal identifiable information (PII) with them.
Some common challenges that companies face include, the number of data subject requests (DSR) that they are receiving, with DSRs needing to complete within one month of receipt. Companies also seem to struggle with the tight personal data breach notification requirements, whilst others have found the impact of the GDPR on marketing rules set out in the Privacy and Electronic Communications (PEC) Directive more testing.
Compliance has caused some concerns and new expectations of how companies hold their data. For example, the GDPR takes a wide view of what constitutes personal identification information. In the wake of a lot of high-profile data privacy issues, and with evidence that data breaches cost on average almost £3 million per business, there’s a white-hot spotlight on data protection and how businesses are handling, processing, storing and disposing of sensitive data.
What is compliance?
What does it mean to be compliant? This means putting workflows and policies in place that outline how a company achieves data protection in line with the new laws.
To be compliant with data security regulations, companies need to take a close look at the types of sensitive data they are collecting and how it’s currently being handled. In line with the International Organisation for Standardisation (ISO), businesses must implement a series of data management systems that provide protection at the data level, known as information security management systems (ISMS). An ISMS is defined by the ISO as “a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process.”
In particular, ISO 27001 is the most widely recognised data security standard for businesses. Being compliant with ISO 27001 will put your customers’ minds at ease knowing you have been certified as a safe business to trade with.
How has technology helped?
It is important to understand that trust and reputation management are tightly connected, and when an incident like data breach occurs it could potentially damage a companies’ reputation beyond repair depending on the size of the breach, as well costing a fortune in ICO fines. GDPR regulations have data protection and privacy at their core so the repercussions of failing to honour them are likely to be very public.
Technology has helped companies achieve, maintain and evidence compliance more efficiently, and due to this, compliance should become more streamlined and simplified over time. Whilst there have been a number of fines to date, they are fewer than expected. Some companies have incorrectly interpreted this to mean they can step back their GDPR programme activity. Companies need to remember that GDPR is a new law and therefore as it matures it’s expected that the number of fines dealt and their size, will increase. Therefore, having solid privacy compliance processes in place, ideally in the form of a structured privacy compliance programme is vital.