The clock is ticking – businesses need to actively start putting structures and processes in place so that come May 2018, they are in compliance with the GDPR. For firms that are already familiar with the current rules on Data Protection and have applied them consistently thus far, GDPR will be much easier to implement. However, given the way many firms have reacted to the introduction of the GDPR, we could be forgiven for thinking there’s a data revolution on our hands. The threat of huge fines for a data breach has further fanned the flames.
Regardless of it being an evolution or revolution, it is an opportunity for firms to focus the minds of lawyers and professionals on the issue, to ensure they have up to date and targeted data in InterAction. In fact, GDPR can both help improve and enhance adoption of the system and give data quality the attention it genuinely deserves.
Here are some steps that firms are taking to ensure that they can demonstrate compliance:
1. Education – This is taking place via informal training and through organised courses on specific specialisms such as Finance, HR, Marketing/Business Development. In addition to this, many firms are taking advantage of the host of information that is available online. The most popular resource and indeed highly recommended in the UK is the ICO website, especially as it is this organisation that is responsible for issuing fines for data breaches in the country. For firms that are outside the UK but with the European Union, it would be useful to familiarise with a similar organisation in the country in question.
2. GDPR steering group – Such groups in firms typically include senior level representation from different departments within the business. The steering groups are responsible for developing and executing detailed plans to undertake the work needed for GDPR compliance. They also agree the communication plan for GDPR across their business.
3. Appointment of a Data Protection Officer – This role is seen mostly in larger firms.
4. GDPR project team – Firms set up such teams to manage all the tasks related to GDPR compliance.
5 .System and data audit – Firms are undertaking a full review of all systems and data that is held by organisation. This is helping them to understand what data is recorded, why it is recorded and where risks may exist from a data management perspective. This task is assigned to members of the GDPR project team.
6. Communication and training – Firms are seeing the value in providing regular updates to employees on what GDPR means and what steps are being taken in the organisation to demonstrate compliance. This also includes any responsibilities that individuals may have to enable the business to support compliance with the regulation.
7. GDPR champions – Some firms are assigning GDPR champions in different departments so that these individuals can assist with system and data audits and ensure that any communication on the initiative is suitably understood and received. Where firms use InterAction, the champions tend to be responsible for reviewing the data that is held in the system, how the system is configured and if the folder structure needs to be adapted to demonstrate GDPR compliance.
A point to note about GDPR is that since it is a regulation, as opposed to a directive, it becomes immediately enforceable in all member states simultaneously, i.e. 25th May 2018. It will replace the EU Data Protection Directive 1995, which as a Directive, meant that each member state was free to decide how to transpose it into national law. The British government has confirmed that Brexit will not impact the implementation of GDPR and anyone outside the EU, with clients in the EU, will be impacted by the regulation.
The following link to the ICO website is worth a read: https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/accountability-and-governance/
Remember, if the ICO or an equivalent organisation knocks on your firm’s door to audit compliance with the GDPR, the business will be viewed more favourably if they have attempted to comply, than if they did nothing.