Organisations around the world are working hard to ensure that they’ll be able to comply with the EU GDPR when it comes into force next May, although many are lagging behind.
To help your business prepare, my last couple of posts have looked at the importance of understanding the requirements of the GDPR, and identifying the type of customer data your business holds, and where it is held.
Although it’s an admittedly complex and daunting issue, it’s time now to think about whether your business is actually ready for the GDPR.
The first step is to identify all of the systems in which personal data is housed or processed by your organisation. Once this has been done, there are a number of questions to consider, such as:
- What mechanism(s) will you provide to data subjects so they may enquire about their data?
- Can you accurately and completely comply with a request for erasure, and provide evidence to the data subject that this has been carried out?
- Have you taken adequate steps to protect the personal data that you control or process, and can you provide evidence that you’ve done so?
- In the event of a data breach, can you comply with the notification requirement within 72 hours? Alternatively, have you securely encrypted or pseudonymised all personal data, thus avoiding the breach notification requirement?
- Do you understand the risks to the systems where personal data is processed?
Make no mistake, it’s critical that you’re able to answer these questions. The GDPR does have teeth after all…
Take the data breach experienced by TalkTalk in 2015 by way of illustration.
The company’s data was unencrypted. Had the breach occurred today, based on TalkTalk’s 2015 revenues of £1.795 billion, the fine would have been around £72 million under the GDPR, as opposed to the £400,000 they paid at the time.
Even though more than two thirds of organisations (68%) have experienced a breach, a recent report from Dell reveals that fewer than a third (31%) of companies are currently prepared for the GDPR.
Time is running out. The EU GDPR will be enforced in less than a year’s time, and businesses must be prepared for it or risk hefty fines and significant reputational damage.
In my final post on the subject, I’ll be taking a look at how you can implement the appropriate data protection measures for GDPR compliance.
Until then, you can check out our website to assess whether your business is fit for GDPR.