A Director’s View: 11 Considerations for GDPR Compliance
When we first began our journey for General Data Protection Regulation compliance we were surprised by the changes required. Businesses will be impacted by sweeping changes which will cost thousands, if not millions to ensure GDPR compliance is met.
Having only heard about the regulation in December 2016, I was under the impression that we were already far behind the masses and that everyone around us knew of the changes. But when I began speaking to our peers, clients, and indeed anyone else that would lend an ear, I had the same response.
It seems like the simple fact is that awareness of the GDPR is still extremely poor but time is running out – there are just over 10 months left until the 25th May 2018 deadline. With so many people still asking “What is the GDPR?”, it’s time to get moving.
My main GDPR concerns:
What I believe to be the most concerning part of the new regulation is the sheer amount of work which needs to be put in to achieve compliance in such a short amount of time. Furthermore, 5.2 million businesses in the UK will be required to be compliant by the deadline. This involves the following:
- Know where all PII is stored
- Develop process to ensure all PII is documented and accounted for
- Ensure process and systems can handle subject requests
- Change IT and security policies to comply with GDPR
- Review and update privacy notices
- Implement fundamental business policies for handling PII and circulate
- Change sales and marketing processes to ensure PII is not mishandled
- Get consent from all customers. Double opt-in necessary for you to market to them
Third party considerations
- Ensure all third parties that process your customers’ PII meet compliancy standards
- Document process for how third parties will use your PII
- Find new third party suppliers/partners if they are not GDPR compliant
And this is just the start. This is by no means a comprehensive list of all activities required to meet GDPR compliance standards.
It’s not possible to list what we’ve learned about the regulation since our GDPR journey began – there’s simply too much to fit into this blog. What I can pass on to you is that you must get started on your journey now. From my understanding, the day that GDPR goes live, the full regulation and sanctions aren’t likely to be applied to the letter of the law. Companies that have completely disregarded the regulation will be fined heavily by their Supervisory Authority should they face a breach after the deadline. But those that have started their journey and can prove the development of processes to ensure data privacy by design are less likely to be fined.
Of course, as time goes by I expect that even small deviations from the regulations will mean large fines. But in the 1-2 years after the GDPR goes live I assume there will be a level of leniency if companies are seen to be making the best efforts, which compared to most standards today, would be a great improvement.
To speak with me personally about IT and the regulation, you can email me on firstname.lastname@example.org or call 0800 292 2230.