Despite the added risk, 54% of organisations have not started preparing for the GDPR. A survey from analyst firm Gartner showed that around half of those affected by the legislation – whether in the EU or outside – will not be in full compliance when the regulations take effect.
At a time of increased cyber attacks and a resulting focus on data privacy, the message is clear: it is essential the UK has a tough data protection stance that will enable it to compete and trade with other nations. That means becoming GDPR compliant.
The new EU data protection regulation has left many companies unclear about their obligations in order to become compliant with GDPR.
Marshall Elearning Consultancy has launched a new GDPR training resource, developed in consultation with law firm Shakespeare Martineau, to help to get organisations across the UK GDPR ready.
What is GDPR?
The most important change in data privacy regulation in 20 years, GDPR is a regulation issued by the European Commission, the European Parliament and the Council of Ministers of the European Union with the goal of improving data protection for individuals within the European Union.
The new EU General Data Protection Regulation (GDPR) in Europe will be directly applicable starting on May 25, 2018. When GDPR comes into effect, the regulation will overhaul the way companies approach their data and includes big fines for those that do not comply.
The importance of GDPR compliance
Because the update to data protection will come into place in 2018 when the UK is still a member of the EU, firms must ensure they comply with all parts of the regulation.
In summary, the new obligations for processors to maintain GDPR compliance are:
- Defined contractual requirements
- Sub-processor restrictions and obligations
- Record keeping
- Adequate security
- Breach Reporting
- Liability to Authority, controller and data subject
- Data transfer restrictions
Confusion will not be a valid excuse as far as UK regulator the Information Commissioner’s Office (ICO) is concerned and those who suffer a breach could be fined up to €20million.
The new regulation applies to all organisations collecting and processing personal data of individuals residing in the EU, regardless of the company’s physical location.
How to comply with GDPR
Below are 7 broad principles that you’ll need to follow in order to become GDPR compliant. There are more details and nuances than those outlined below, but this is a good start.
- Know where your business stores data. Make a list of all of the services in use in your organisation and contact them to understand where they are hosting your data. According to the latest Netskope Cloud Report, the average European enterprise is using 608 cloud apps. Despite increased awareness on the part of IT over the last year or so, organisations underestimate this figure by about 90 percent.
- Take adequate security measures. GDPR is designed to protect personal data from loss, alteration, or unauthorised processing. As such, you need to know which services meet your security standards, and increase security controls for the services that don’t.
- Get a data processing agreements. Contact each of your service providers and get in place a data processing agreement with them, to ensure that they are adhering to the data privacy protection requirements outlined in the GDPR guidance.
- Only “necessary” data. Specify in your data processing agreement that only the personal data needed to perform the service’s function are collected by your users or organisation.
- Limit the processing of “special” data. Make sure that there are limits on the collection of “special” data, which are defined as those revealing things like race, ethnicity, political conviction, religion, and more.
- Don’t allow services to use personal data for other purposes. Ensure through your data processing agreement clearly states that the customer owns the data and that they do not share the data with third parties.
- Ensure that you can erase the data when you stop using a service. Make sure that the service’s terms state that a customer can download their own data immediately, and that the service will delete their data once they’ve stopped using the service.
For those taking their first steps towards compliance, the ICO has a useful starting guide and 12 step programme looking at rights, privacy notices and consent. It outlines for example, the need to put new procedures in place to deal with GDPR’s provisions.
Ensuring employees are ready with GDPR training
GDPR compliance is not just about the business. It is also essential that all employees are educated and understand the importance of securing data in an increasingly complex world.
That’s why our 20-minute course will ensure your organisation is ready for the significant changes to data protection that GDPR brings. Our online resource will highlight key areas of change and the actions required to ensure your organisation is ready for this new regulation.
Learners will gain a thorough understanding on all aspects of GDPR:
- Key questions – why is the EU introducing GDPR and what impact does this have on the UK?
- New principles? – the specific requirements under the new regulations
- Key changes – what is the scope of GDPR? Consent, design by privacy and the role of Data Protection Officers explained
- Potential penalties – failure to comply would result in penalties. Do you know the maximum fine?
- Enhanced rights – discover the enhanced rights of ‘data subjects’
- Breach notifications – organisations must report data breaches within specific timeframes to specific guidelines
- How to prepare – a useful checklist against the legal framework that all organisations must adopt in readiness for GDPR.
If you want your business to be GDPR ready, take a look at our new GDPR training resource that will help to get your organisation GDPR ready.
For those interested in finding out more about the GDPR training course or to commission the course for your organisation, please contact David Marshall on 0845 123 3909 or firstname.lastname@example.org.