As we all saw yesterday Facebook is now looking at the prospect of a hefty fine, had this information come to the commission’s attention on May the 25th. It could have been a different story. Time is running out not just for Facebook to protect all our data but for everyone else as well. For those of you that are still struggling with challenges faced by the new GDPR, please read on for some practical tips.
The Facebook-Cambridge Analytica situation this week has thrown the way companies handle data into spotlight and mainstream news once again. Cybersecurity and cybercriminals now have become commonplace in our daily news cycle. Time marches on to the May 25th deadline when all companies will need to comply with the new EU Global Data Protection Regulation (GDPR). Business across the UK and the EU have only two months to consider how they handle, collect and store citizens personal data that do not infringe on their rights.
We know about the fines facing companies that don’t comply or have no plan in place to show the commission they are preparing for GDPR but let us talk frankly for a minute. What would the reputational damage be for a company hitting the headlines because of a data breach? For these large organisations, how do shareholders now view the stock? How does the average consumer on the high street now see the company that lost their data? We are all consumers and we trust companies to take care of our personal data. We trust them to take adequate steps to protect it where it’s stored. We trust them enough to assume they have taken the necessary steps to stop the constant threat of cyber criminals hell-bent on stealing that data. But look at Facebook as an example. They are a massive global organisation with endless resources to secure personal data, but they failed. We as consumers feel helpless when our data is splashed across the news headlines and the reputational damage to the business and the brand sometimes outways whatever the fine will be.
There are some positives we can take from high profile data breaches. Many company executives have been forced to sit up and take note. The old idea of leaving compliance to the IT manager has gone. Companies now realise they have a responsibility to keep the data they collect secure. They also have to minimise the risk of data breaches as best they can by taking a company-wide approach to data management.
These companies are now driving a lot of the governance work, including revised policies, training and assurance, which is time-consuming, but necessary. A company’s ability to inform the ICO (information commissioner’s office) of a data breach within 72 hours of being alerted, and being able to respond to subject access requests within one month is currently a large challenge. Companies are being forced to take the appropriate steps to review how they process data and take adequate action.
To help you with the GDPR mind field I have created 10 practical tips for compliance, hopefully, this helps?
1. Map out where personal data is, where it came from, who has access to it and what it’s being used for.
2. Expand on your consent notices, across your website, brochures and third-party contracts.
3. Explain the option to opt out of future marketing, when data might be collected, and exactly how it could be used to meet the new requirement for ‘clear affirmative action’, and an end to pre-ticked boxes and bundled consents.
4. Signpost privacy notices better across all mediums.
5. Highlight to your customers when data that’s been collected may be sent outside the European Economic Area (EEA), to Government Digital Service centres overseas for example, where data protection may not be as strong as within the EEA.
6. Ensure customers are aware of their right to demand full details of the information held on them. Under the new GDPR citizens now have rights on what data is being stored.
7. Understand that a company’s appointed data controller must notify privacy regulators and affected individuals in the event of certain data privacy breaches within 72 hours – without the correct tools this could take some time!
8. Conduct a full data audit, and review data collection forms and privacy notices. How much sensitive data you have and where it is.
9. Demonstrate compliance to regulators on a security by design basis and maintain records of data protection management. If you have not got consent to hold a person’s personal data – delete it.
10. Take practical steps to deal with Subject Access Requests and the Right to Erasure – again there are tools out there to help speed this process up.
Good luck as time is ticking!