The Regulation was adopted on 27th April 2016 and will come into force across all member countries (and any additional accession countries that enter the EU before then) on 25th May, 2018. The UK, it has been confirmed by the government, will also adopt the GDPR, prior to leaving the EU.
At Equiniti we have determined that our corporate clients face significant potential sanctions for not assessing the impact of breach and also for failing to report breaches.
The fines can be draconian – potentially threatening the legal and commercial viability of companies that fail to address their data privacy processes.
We propose these key actions on the part of Chief Information Officers or nominated Data Protection Officers:
- Think of your customers and think of the obligations you have to them. Customers can demand that you erase records or may ask you to explain retention of data that you hold about them. Be prepared to provide information or to take action that ensures compliance.
- Accept that co-ordination is essential. A piecemeal approach to compliance – with various business units doing their own thing – is a sure route to breach. Awareness from board-level down is essential.
- Diagnose and document exactly what information is held. Documents residing in document management systems, file shares and email systems will be key categories to assess.
- Map data as part of a Privacy Impact Assessment. Only by having a visualisation of where data resides, who has permission to access it and to where it flows can appropriate processes be put in place.
- Complete a root and branch review of this information flow. Understand how personal information is used, how it’s stored, how it’s deleted. Only by completing an audit across the business will it be possible to identify potential compliance failure and mitigation should breach occur.
- Assess customer data quality – e.g. duplication, and prepare to address.
- Prepare to upgrade or implement new document management and high-performance search capabilities – this will be essential for responding to customer and audit enquiries.
- Implement case/complaints management – prepare to use an existing system or implement a new one.
- Create a chain of accountability where all the key parties know their roles and plan for a breach. This may involve the most senior officers in the company and will require communication across the business.
- Work out how others can help. Working with suppliers like Equiniti will give you the assurance that you’re working with a supplier that understands the importance of data compliance and can provide services that work seamlessly with your in-house business processes.
- Understand that communication is key. Therefore, policies and procedures need to be reviewed, properly documented and compliance-assured. Involving key third party suppliers is also critical.
- Remember that territorial thinking will be a risk to compliance. Therefore, ensure the entire business considers information that flows between borders and between business units.
We’re here to help. Please contact us if you need help in preparing for the GDPR at email@example.com or +44(0)28 9045 4166 if we can assist you in any way.