Becoming Compliant for the new GDPR legislation (May 25th 2018) doesn't have to be complicated. At first it can seem daunting and confusing, but once you understand the various elements to it, it can be a simple process.
Essentially, GDPR comes down into three categories. Legal, Compliance and IT. When you know the different requirements that need to be met in these three categories, you can confidently plan to become compliant.
One thing to consider about this process is that it will take some financial investment. However, most businesses do understand this and have already begun their road to compliance. It is worthwhile after all, as if you fall victim to a cyber breach, hold customer data inappropriately, or send marketing material without consent, you can expect a fine of 4% of your global total revenue or up to £17 million, whichever is higher.
What is the GDPR Legislation and why is it happening?
The General Data Protection Regulation Legislation is about protecting consumer data, privacy and prevention of cyber breaches. Because of Brexit, many businesses in the UK thought GDPR would not affect them, but this is not the case.
GDPR affects anybody trading in the EU or anybody trading with countries in the EU.
If you were to experience a cyber breach, the Information Commissioner's Office (ICO) will need to investigate your company. This means they will assess what security measures you have taken to protect your consumer data. If your protection and procedures for data protection is poor, you are more likely to receive a fine. If you have proven you have adequately protected your data, you are less likely to receive a fine.
GDPR was adopted on 27th April 2016, but after a two-year transition period, from 25th May 2018, it will be enforceable.
The Three Elements
The compliance element involves how we store client information and who has access to it. The ICO requires you to have an adequate reason for storing client information. If you cannot prove why you need client or prospect data, then you shouldn't have it at all. You can now only store consumer data for a legitimate purpose.
Another part of compliance is all about who has access to this information. Only the people who need to access the data, should be allowed to access the data. How do you do this? We will talk about how to do this shortly in the IT element.
Do you use email marketing? GDPR states you may only use email marketing if you can prove the recipient has opted in to receiving your emails. Of course, you can have an "opt-in to emails checkbox" when someone downloads your ebook or lead magnet, but this must be originally unchecked. It's a good idea to take screen shots of opt in pages you've made in the past, as the burden of proof lies with the business owner.
What about my previous or current marketing lists?
GDPR laws say that all previous data must have been obtained using the new rules, so expect re-engagement campaigns to gather proof for opt-ins.
If you were to experience a cyber breach, it is law that you tell all clients affected within 72 hours. If you do not, you are likely to face a fine.
There are six legal bases under GDPR, which are as follows:
When you are providing a service for a client, say a mobile phone contract, you need to use their data often. the contract must show that the client accepts this.
- Legal obligation
Instead of going to the client, if a matter is serious, they must bring it to the authorities. For example, if an accountant was to identify fraud in a client's books, they must take it to the government. This means legal processes must be implemented.
- Vital Interests
It is necessary to protect the vital interests of someone in a life or death situation, such as a coma, so processing data is okay in these situations.
- Public Interest
This only affects public organisations such as the government or hospitals.
- Legitimate Interest
This means that you are allowed to process client information is the reason is legitimate and of interest to those involved, which can be proven with contracts and opt-ins.
Consent must be given from the subject in order to process his or her personal data for 1 or more specific purposes.
The IT side of GDPR links to the other 2 elements. In order to be compliant with your data, and only allow the right people access to certain data, you'll need technology processes and systems in place. This can be done by setting up permissions for individual employees. Most of your organisation will have access to limited folders and locations, whilst only those who need access will be granted it. Your IT provider can set this up for you.
The most important aspect of the IT side of GDPR however, is the implementation of cyber security. Having cyber security measures in place prove that you have done everything you can to prevent a cyber breach, and thus, your client data.
In the event of a cyber breach, the ICO will investigate the breach and assess whether you have done what you can to adequately protect your client data. If you have, you are less likely to receive a fine. If you have not, you are much more likely to get a fine.
What's more, is that if you do experience a cyber breach, your company has 72 hours to inform your customers. If you don't inform your customers in this time frame, expect a fine.
The best way to prove you have adequately set up protection of your data and your business is by achieving the Cyber Essentials Plus Accreditation.
We achieved the accreditation last October, but now that GDPR is very near, it's becoming increasingly more important that businesses adopt it into their culture.
Cyber Essentials Plus is a government scheme that encourages organisations to adopt good practice in their cyber security measures. It's all about securing and protecting your data and your business. GDPR involves putting security at the forefront of any business decision. It means ensuring you have done everything as a business to protect the data you hold about people.
There are 5 areas in which Cyber Essentials Plus focuses on:
- Boundary firewalls and internet gateways
- Secure configuration
- Access control
- Malware Protection
- Patch Management
If you would like to find out more about Cyber Essentials Plus, or think you are ready to officially secure your business and data in order to become GDPR compliant, you can contact us on 01273 806211, or email me, James, at [email protected]