The EU’s General Data Protection Regulation (GDPR) has begun its run-up to full implementation in May 2018.
From proposal to enforcement, the GDPR timeline of events shows how the regulation will replace the 1995 Data Protection Directive (95/46/EC) which was created to govern and regulate all businesses processing the personal data of EU citizens within and outside the EU.
The GDPR touted to be the biggest reform of data protection laws in over twenty two years will boost data security and protection for consumers, expediting increased privacy sentience for enterprises.
But what does this mean for SMEs? Below are some key considerations for making your company GDPR compliant.
1: Review Consent of Customer Data Use
Understanding the personal data of customers and how to process it is a crucial part of GDPR SMEs will need to address.
Although customers previously may have given consent upon initial interaction, this does not give SMEs the leeway to use their data however they like.
In fact, under the GDPR, enterprises caught using personal data for purposes other than previously stated upon collection will be prosecuted. It is also important to indicate how long these personal data will be used and retained.
Also, SMEs are required to furnish their customers with their Data Subject Rights which entails transparency of information, communication, and modalities for the exercise of their rights on their data.
Therefore, a review of consent of the entire current customer base may be needed as the GDPR requires clear-cut terms, so individuals are fully informed, and their consent can be freely given or not.
So, general data clauses and vague contract terms will no longer be adequate.
Should the reason why personal data is required by service providers be unclear, and how these data will be used, customer consent may be deemed invalid.
2: Reinforce Your Data Security
Intensive pentesting tests to determine where security vulnerabilities in your organisation lie must be carried out.
Enterprises with the resources to carry out a pen-test won’t have problems doing this internally, or else, outsourcing to a reputable company to do this is a good idea.
Failure to do so may expose your company to hackers and data breaches, compromising sensitive customer data.
Moreover, heavy GDPR fines are in place to punish organisations with weak IT security. For this reason, a thorough IT Security audit is sacrosanct.
Moreover, SMEs must setup necessary notifications to ensure prompt detection, analysis and remediation to meet GDPR standards and maintain compliance in case of a breach.
A comprehensive risk and technology optimisation assessment by Crayon will help get your IT security infrastructure to a GDPR ready state.
3: Employ a Data Protection Officer (DPO)
For businesses processing considerable volumes of sensitive customer data, particularly large enterprises; the function of a data protection officer (DPO) has been mandated by the GDPR.
A DPO’s main job is to ensure your company is compliant with the GDPR’s obligations. Therefore, it is imperative this person be an expert on business practices and IT security, data protection law, and information held within the organisation as regards customer and employee data.
The DPO must be involved in critical decision-making in every aspect of data protection and security, reporting routinely to the chief officer within the organisation.
It is important to note that an existing employee may fill the role of the DPO; the position may be outsourced as well.
However, under GDPR, some I and O leaders depending on current responsibilities may not take on the role. Consulting with your national Supervisory Authority should clarify who exactly should fill this office.
4: Prepare Your Staff to Recognize and Abate Cyber Attacks
As the GDPR approaches, many SMEs to this day still fall short when it comes to data breach preparedness and best data security practices.
An organisation must draw out exactly how it will deal with a breach, and appropriate procedures to mitigate it.
Tight data encryption and secure data transfers will not be enough; IT staff must be trained to understand and identify what constitutes a cyber attack.
Employee error has been reported as the biggest culprit to security threats in SMEs, therefore, to enhance staff data monitoring capabilities, training in business IT security should be a regular drill.
5: Get In Touch with Your National Supervisory Authority
For SMEs to ensure total GDPR compliance, it is crucial they be in constant communication with their national Supervisory Authority also known as the Data Protection Commissioner (DPC).
A supervisory authority’s office, known as the Information Commissioners Office (ICO) in the UK is present in each country in the EU.
In the event of a cyber attack or data breach, reporting to your Supervisory Authority within three days as mandated by the GDPR will be the first step in evading the heavy fines that will be imposed on organisations that fall victim to a breach and miss the 72-hour deadline.
90% of large organisations reported a data breach in 2015, with 74% of SMEs reporting the same. This shows that although preventing an attack may be impossible, being ready is key to mitigating whichever ensuing damage.
The new EU regulation for Data Protection becomes a mandatory requirement in May 2018, the need to get your business ready is now!
Our detailed FREE GDPR awareness questionnaire will ensure you meet the requirements.