With the European Union’s General Data Protection Regulation (GDRP) coming into effect 25th of May, we catch up with Tom Willis, CMO at LawPath to understand how best to prepare your business.
How to get GDPR ready
The rules and expectations for privacy compliance in the European Union (EU) is changing, leaving many Australian businesses unsure of how much (or little) it affects their current processes.
On the 25th of May 2018 the European Union General Data Protection Regulation (GDPR) will be implemented, with new data protection requirements to improve the transparency of online privacy and security. Under the new regulation, Australian organisations with data processes in the EU will need to adhere to the new requirements or risk the issuance of heavy fines (up to 20 million Euros!).
To prepare yourself for the GDPR, we’ve outlined 6 key tips to both identify the impact it will have on your business and what you can do to get compliant.
Here are some tips to help your business get GDPR ready:
1. Determine how the GDPR Affects Your Business
You’ll need to clarify whether your company, directly or indirectly, has any contact with the EU marketplace or its data population. You may be covered by GDPR if your business:
- Has an office in the EU
- Sells products or services in the EU (including payment fees in Euros)
- Has EU customers or users
- Tracks individuals in the EU on the internet and uses data processing techniques to ‘profile’ individuals (ie. analyse and predict personal preferences, behaviours and attitudes).
Smart Survey have created a GDPR compliance checker which is a great starting point for determining what you’ll need to do to ensure you’re meeting expectations.
It is highly recommended to seek legal guidance if you believe you’ll be affected by the GDPR to determine how your business needs to respond to these changes.
2. Update your privacy policy
Many of the standards under the GDPR follow similar standards under the Australian Privacy Principles, meaning that an up to date privacy policy is a great step in the right direction. However, there are a few extensions as part of the GDPR that should be highlighted, namely:
Data erasure
- a subject has the right to be forgotten, entitling them to have their personal data erased due to irrelevance or a withdrawal of consent.
Consent
- The strength of consent has been re-evaluated, requiring users to provide explicit consent (ie click a checkbox) before collecting personal sensitive data such as political or religious beliefs, health or genetic data and sexual orientation.
Breach notifications
- This will become mandatory where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be notified to your lead supervisory authority within 72 hours of being aware of the breach.
It is even encouraged for businesses that are not currently affected by the GDPR to review and monitor their current compliance practice. This will demonstrate a strong commitment to consumers of better international privacy practice and strengthen customer trust.
3. Get everyone on the same page
It is important to inform all senior personnel and employees so that everyone is aware of the GDPR - what it is, when it starts and how it affects their practices. This will allow the company to analyse and monitor its current compliance practices and review these practices against the new expectations under the GDPR.
4. Adopt a centralised approach
A centralised IT framework ensures you’ll be able to combat the challenges of the new GDPR regulations, as it provides greater security for your data whilst keeping track of its whereabouts at all times. While also providing more secure access to the business network and databases, centralising your IT framework also simplifies and streamlines audit reporting.
By preventing sensitive data from being stored on devices, a business will be able to maintain greater control of access of protected information.
5. Secure your network now, not later
Transparency is key to the new GDPR, requiring businesses to have greater network visibility so that in the case of a breach the business will be able to defends its security approach. Therefore it is important for organisations to now assess, evaluate and monitor its security-based decisions. This can be accomplished through:
- Testing your security infrastructure: authenticate your network security by running high traffic tests, with sensitive personal data, as well as malware and other cyber threats.
- Monitor and decode encrypted traffic: cyber breaches most commonly infiltrate through encrypted traffic, therefore the importance of monitoring this traffic.
- Conceal personal information: it is important that administrators be able to encrypt personal data and data patterns for heightened security.
6. Hire a Data Protection Officer (DPO) now!
Businesses that process and monitor sensitive date on a large scale will be required to appoint a DPO, their role will be to oversee data compliance and protection. All businesses will be required to complete an internal analysis to determine the extent of the data collated and the degree of sensitivity of that data (race, politics, religion etc), if no DPO is appointed then a record of this analysis must be available upon request to support this decision.
According to the EU GDPR website, your DPO should be appointed on the basis of professional qualities (ie expert knowledge of data protection law and practices) and can be either a staff member or external provider. They’ll also need to report to the highest level of management and can’t carry out tasks that could result in a conflict of interest.
Big thanks to Tom for giving us a helpful run-down of what our community needs to be doing to get GDPR ready!
Be sure to check out Recomazing to see what our members (entrepreneurs and industry experts) have to say about LawPath and other tools they love.