GDPR is currently in full force, and we’ve already seen businesses like Facebook and Google come under fire for potential non-compliance within days of its advent. Only a month before the deadline, a Crowd Research report declared that 93% of respondents were not yet “in full compliance” with the regulation. Here Natasha Bougourd, TSG’s Lead Applications Writer, specialising in IT support, Office 365, Dynamics 365 and business intelligence, talks Lawyer Monthly through the ongoing intricacies of GDPR compliance and the priorities ahead.
GDPR has been long-awaited, but it hasn’t been explicit in what is required from businesses. The good news is that 80% of those surveyed identified GDPR as a key business priority, and compliance is more of an ongoing journey than a task that could be marked as completed on 25th May 2018.
As both data controllers and data processors, law firms in particular must ensure strict adherence to the new regulation. What are the areas you should be prioritising in order to maintain compliance with GDPR?
-
Protect your data
Businesses hold and process more data than ever before. And a significant portion of that will be Personally Identifiable Information (PII); this is the data that matters under the GDPR.
Many businesses that don’t store customers’ personal information make the mistake of thinking this doesn’t apply to them; however, all businesses will at the very least hold employee information. Therefore, all businesses must put measures in place to safeguard that digitally-stored data.
-
Encrypt, encrypt, encrypt
When it comes to the best method of securing your data, encryption comes out on top. Not only is it a robust way to keep your data inaccessible to cyber criminals, it’s recommended throughout the full GDPR documentation. Should any PII data you hold fall into the wrong hands – whether deliberately or accidentally – encryption will render it unintelligible. Encryption can operate at a file, folder, device or even server level, offering the level of protection most suited to your business needs.
-
Create policies and review constantly
Under the GDPR, you must implement policies that detail how you’ll process, access and protect PII data. It also states that data controllers must “adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default.” When you act as a data processor, you must abide by the data controller – your client – and their restrictions. All new policies, whether specifically related to GDPR or not, must be compiled with a ‘privacy by design’ model. Existing policies, including your data protection policy, privacy policy and training policy should also be reviewed in light of GDPR.
-
Complying with subject access requests
An element of the GDPR that hasn’t received a lot of media coverage is complying with subject access requests. Individuals can request access to the data you hold on them, verify that you’re processing it legally and in some cases, request erasure of their data – also known as the ‘right to be forgotten’. Under GDPR you’ll have only a month to respond to these requests, otherwise you’ll be at risk of non-compliance. More guidance on this can be found on the Information Commissioner’s Office (ICO) GDPR guide.
-
What to do if the worst happens
It’s something no business wants to think about, but you need to know what to do in the event of a data breach; not reporting this to the ICO could be considered a bigger infraction than the breach itself. Businesses must report it to the Information Commissioner’s Office (ICO) within 72 hours of discovery. It’s especially important to note this, as failing to meet this obligation could be considered a bigger breach of the GDPR than the data leak itself. Both Uber and Equifax have come under fire in the past year for covering up breaches, reporting them late and keeping the extent of the breaches under wraps.
Finally…don’t panic
Empowering consumers is at the heart of the GDPR, not making an example out of businesses. Whilst there has been a lot of confusion around exactly what has been required, it’s clear that cyber-security is imperative, as is clueing up on your reporting and response obligations. It’s important to note that simply experiencing a cyber-attack or data breach won’t automatically result in financial punishment; the GDPR clearly states that, should you prove you put in place measures to protect your PII data, you won’t be hit with the most severe fines.