Mode is in the process of preparing for the new GDPR law that will be implemented on May 25th, 2018 and supporting our clients through this transition and what it means for all businesses.
Recap: What is GDPR
- New law that will replace the Data protection Act
- It will require all business dealing with any EU business whether they are in the EU or not to:
- All data must be obtained by consent
- If requested by the individual, all data will have to be deleted upon request
- Companies must detail what personal data they hold, how it is processed
- Certain business will have to have a Data Protection officer
- Data breaches will have to be reported to Supervisory Authorities within 72 hours of the breach
- Failure to comply is potentially a fine of 4% of annual turnover or 20Million euros whichever is greater.
However, it is still apparent that confusion remains with many businesses, about what GDPR will mean to them and the impact on their processes.
IN 2016, Dell conducted research to see how well-prepared SMB’s and large enterprises were for the new law this year. This research was conducted across Europe. It indicated then some interesting findings:
- 80% of respondents knew few details or nothing about GDPR
- 97% had no plan
- Only 9% of IT and Business professionals were fully prepared for GDPR
- 70% of respondents had said that they are not or do not know if they are prepared.
- 90% said their existing processes would not satisfy the new GDPR requirements.
However, Mode recently reviewed some more current research by Collyer Bristow (as featured in SmallBusiness.co.uk in October 2017 ) and discovered that businesses understanding of GDPR has improved but not to the extent that you would expect for a law that will due to be implemented in under 4 months:
- 57% senior management have little or no direct involvement with data protection
- 34% of businesses have no plans to perform a data risk assessment in 2017
- 23% of businesses have no data breach contingency in place
- 20% of businesses still have not taken steps to prepare for GDPR
So Why is There Still So Much Confusion Over GDPR?
An article in ITProPortal published in 31st January speculates that many companies have their “head in the sand” despite the plethora of consultants and industry commentators warnings!
Mode Recommends What We All Need to Do Now!
- Implementing GDPR is a board-level issue and compliance must be agreed at this level
- Businesses need to understand what data they hold, need and what is collected.
- Decide what data is processed and whether your business needs to collect or retain the data.
- Have processes in place that will allow you to delete data with confidence
- Review how the flow of personal data proceeds through your organisation and how its processed, stored, secured and deleted.
- Ascertain whether your current security policies are adequate to offer protection against unauthorised access and data loss.
- Review any potential breach areas and whether your business has the tools to investigate any compromises.
- Adopt an “end-to-end Security” approach, which will allow your business to guarantee a full life cycle of protection of personal data, which will include the creation and storage od data until the time it becomes obsolete.
Follow These Steps:
- Prepare: understand the personal data you hold and the potential risks
- Protect: Protect personal data from malicious attacks and misuse
- Detect: Provide rapid detection, understand the impact of any breach
- Respond: Respond efficiently and effectively to be compliant and mitigate any risk.
With the new law coming in under 4 months, it’s essential that companies act now to ensure we are all prepared for GDPR.