Preparing for GDPR
[This article was updated on 28/02/20]
The General Data Protection Regulations (GDPR) came into force on 25th May 2018. This replaced the 20-year-old Data Protection Act as a lot had happened since the original regulations were introduced. These new regulations brought together 28 different pieces of legislation across the EU.
At the time of writing this article (November 2017), there was very little guidance and support as to how small and medium-sized companies (less than 250 employees) could effectively meet the new regulations. I suspected many of the people who really understood GDPR are employed by larger organisations who can afford the cost of employing a GDPR expert.
Now (in 2020), it’s clear that GDPR is still a problem area for SMEs. The findings of the 2019 GDPR Small Business Survey suggested that millions are still yet to achieve compliance.
For many years, I have worked as a strategic and IT facilitator helping companies to understand how technology can facilitate business growth and in some cases going on to help them implement it.
As there is still a lack of guidance out there, I have put this article together to highlight the actions that I believe you need to put in place to achieve compliance.
- Cyber Crime was growing rapidly- in 2018; it was reported that it cost £2.3 million per minute across the globe.
- Digital Marketing was and still is changing – Customers (of all types) want to be in control of their data and privacy.
- Larger organisations require you to be more secure and assess you for compliance.
- A cultural shift was needed to be more aware of the risks (financial, reputational, operational and regulatory) and how to mitigate them.
What are the risks?
The headline risks were that for non-compliance, you potentially could receive a maximum fine of up to €20 million or 4% or annual global turnover – whichever is higher.
This means a material data breach could lead to insolvency. In addition, there is considerable damage to your reputation if your customers get to find out that you have lost their personal data.
While to date there haven’t been many instances of fines, there have been a small number of headline-grabbing cases, one being the international hotel group, Marriott, who was fined close to £100m for a GDPR breach.
Who is the regulator and what guidance is available?
The Information Commissioner’s Office (ICO) is the regulator and produced a document summarising what you need to do to achieve compliance.
In summary, the things the Information Commissioner advises you need to do are:
- Raise Awareness within the senior management and assign a champion to implement GDPR
- Carry out an Information Audit
- Review Company Policies
- Create an Action Plan
- Have procedures for managing an individual’s right to privacy and access to their data
- Check that you are processing personal data lawfully
- Review how you obtain consent for collecting and storing personal data
- Verify whether you are holding information on children and any required controls
- You will need to report data breaches – make sure you have procedures in place
- Data Protection by Design – Review what you need to be doing to keep data secure
- Assign responsibility for data protection compliance in your organisation
- International businesses will need to determine who their lead data protection supervisory authority is.
What does this mean in practice?
This next section looks at the practical actions that a small or medium-sized business might do in order to comply with the regulations. Some of it should already be in place if your data protection still only covers the old Data Protection Act.
Board Level Responsibility and Risk Management
- Identify a senior person responsible for ensuring GDPR is implemented appropriately.
- Assign responsibility for the Data Protection Officer or recruit if required by law.
- Ensure a privacy & security management plan is in place.
- Performance manage the security plan.
- Business Continuity Plans are in place & tested.
- Registration with the Information Commissioner’s Office.
- Conduct a basic personnel security check.
- All passwords are forced to change regularly (quarterly) and are sufficiently complex.
- Guidance is in place to help users select non-guessable passwords.
- If a password has been compromised, is there a policy in place to force users to change the password.
- When somebody leaves the business, is access to the systems removed and key passwords changed if they used them?
- Old user accounts are removed.
- Ensure users have the correct level of access for what they need to do. Removal of Administrator access where not appropriate.
- Accounts with Administrator access should not be used for browsing the Web or Email.
- Record who has Administrator access and the list is regularly reviewed.
- Review whether two-factor authentication is viable for Administrator & vulnerable accounts.
- Awareness/Training on General Data Protection and Security
Systems & Premises Based Security
- Ensure you have the right technology in place
- Ensure all systems are installed correctly, are working correctly and are up to date.
- Ensure all systems are correctly licensed.
- When a system or piece of equipment is installed that the default user name and password is changed.
- Ensure systems lockout a user after a certain number of login attempts.
- Any ports that are opened (access into the system from outside) are documented and then closed when no longer needed.
- All internal services are blocked from accessing the internet unless they need to do so in order to function.
- On new equipment, all unnecessary applications are removed.
- On new equipment, only the required users are set up on it and these are documented.
- Disable Auto-Run or Auto-Play on all new machines.
- Central hosted system for managing malware protection compliance.
- Approved list of applications that can be installed.
- Administrators only login with increased rights when they need to.
- Appropriate premises security is in place and tested.
- Review all processes to ensure GDPR is being complied with.
- Offshoring – Policies and Procedures are in place to remain compliant.
- Marketing – GDPR Compliant Database (Consumers are correctly identified, and Opt-In recorded)
- Data minimisation principles are applied to collecting personal data so that only the minimal amount of information is collected.
- Review how personal data is processed and stored.
- Supplier Management – are your suppliers of sub-contractors are aware of their responsibilities should they handle any of your data
- Reporting mechanisms in the event of a breach
- Ability to handle access requests by data owners, including the right to be forgotten.
- Regular Audits to ensure compliance.
Action Plan & Practical Steps
Whatever your view is on the enforceability of GDPR, it’s vital that you comply with the standards to mitigate risk to your business’s finance and reputation, which can be caused by cybercrime and inappropriate marketing. Your customers expect you to respect their data rights and protect any information they provide you with, so it’s also crucial from a consumer trust perspective, too.
Now that the new GDPR has been around for a few years, now more than ever, doing nothing is not an option.
Here are my thoughts on how you could put in place appropriate measures (if you haven’t already) if you are running a small or medium-sized business.
- Nominate a board member to be responsible for GDPR implementation
- Put together an Action Plan, including timeline and responsibilities.
- Information Audit – Find out what personal data you currently hold and how it is processed, stored, archived, protected, and who has access. The audit needs to take into account in which country the data is held.
- Review with HR the company’s policies and procedures relating to personal data and its management.
- Review what personal data is held in your HR systems. Is it secure? What can be minimised?
- Carry out a full security review of your IT infrastructure, policies and procedures. Use software tools to carry out penetration tests of your external security and web sites. Consider getting accreditation to the Government’s Cyber Essentials standard, which should bring you up to a good standard. Review user access; most companies allow too much access. What can be restricted?
- Review how you collect personal information, including email addresses in your marketing systems. Has consent been correctly obtained and recorded? The regulations place a requirement to advise how their data will be used for profiling and online tracking. (This is where an advert follows you round Google and Facebook.)
- Ensure personal data is kept to a minimum. For example, if you are processing credit card payments, can you use a third-party payment platform? What can be deleted? What technology can you use to stop the transmission of personal data?
- If you are using cloud-based services, where is your data hosted? Is this compliant?
- Prepare a template GDPR ICO report in the event of a data breach. Contents need to be:
– How was the data lost?
– What data was taken?
– Which accounts were involved?
– Description of the potential consequences.
– Are mitigations in place/planned?
- Create a process for identifying a person’s personal data for when they request it to be supplied or deleted and how that may be done.
- If you pass personal data to suppliers or if they process personal data on your behalf, you share liability with them and so carry out due diligence on affected suppliers.
- Communication is important in all of this. Depending on how many people are involved, consider a monthly project meeting and an internal email to all staff to keep everybody informed.
The Next Steps
You have a number of options open to you. If your organisation is large enough, then it should be cost-effective to hire a Data Protection Officer who can report to the board and so that they can be seen to be impartial and independent.
For smaller organisations, you can hire a GDPR specialist to work on the technical aspects and a HR company for the policies and procedures. If you neither understand and don’t want to understand the detail then you can work with Peter Dickinson, KUB who works as a fractional IT director/interim IT project manager to establish and coordinate the project and work with your internal team and where appropriate bring in the appropriate external resources to implement the required changes.
Since this article was first published a Manchester-based company has launched an online system that tells you what you need to do, helps you keep track of what you have done and provides you templates for all aspects of the documentation.
To get GDPR tracker at a discounted rate of £99 per year (should be £299/year), click here.