GDPR: Where do you start?

You’d be forgiven for thinking that GDPR or the General Data Protection Regulations, due to be enforced from 25th May 2018, were something completely new.

In fact, they are an update of the existing data protection laws from 1995.

There are clearly differences, including new rights for users and the introduction of data breach reporting requirements, along with consistency across all European countries. That won’t change even after Brexit, especially if you have employees, partners or customers who are based in other EU countries.

And, of course, there are the fines!

The big change here is the level of punishment that can be dealt out.

Breaching the existing data protection laws already carries heavy penalties, as Basildon Borough Council recently discovered, but the £150,000 fine they received is a pittance compared to the £17.5m, or 4% of global turnover, that could be handed out from next May.

In reality the changes are long overdue given fundamental changes in technology over the last decade, the way information is stored and processed, and the increasing risks associated with misuse, loss or unauthorised publication of personal data.

GDPR throws up numerous questions for businesses of all sizes: Who’s responsible? How much sensitive data do we actually hold? How well secured is our data and our systems? What steps do we need to take? How do we know that we are compliant?

This last question is always going to be one of the most challenging to answer given that any regulations are open to interpretation. There are some inherent contradictions between what’s required from GDPR versus other compliance requirements, i.e. the right of an individual to have personal data deleted against the legal requirement in certain industries to hold data for seven years.

However, these uncertainties can’t be used as an excuse for doing nothing.

So where do you start?

From what we’ve read, watched and discussed with colleagues from within TSG and also key partners, here’s a list of areas you should probably consider.

1. Ownership – although this might be somewhat ‘chicken and egg’. Until you understand what’s likely to be involved it may actually be difficult to define who should own GDPR and it’s likely to be multi-dimensional and multi-departmental. In the first instance, ownership really needs to be as high up within the organisation as possible.

2. Start with something – and probably something manageable based on the answers to 3 and 4.

3. Discovery, part 1 – apologies for the jargon but essentially, this is about trying to establish what data sets you have within the business. There are likely to be multiple locations including files shares and network drives, databases that sit behind business systems and in many cases external services such as Dropbox. If you’re already using Office 365, OneDrive and SharePoint you may be ahead of the game. And you shouldn’t forget personal desktops.

4. Discovery, part 2 – what tools and policies do you already have within the business that might help with compliance? If you’re already using device encryption that’s good news. Security, backup and disaster recovery will certainly be central to compliance given more than 90% of data breaches last year were caused by malware or hacking.

5. What and where are the risks – it’s not always easy to determine of the risks but again making a start is what’s important.

We’ll be posting regularly on GDPR over the coming months and breaking down key components and technologies that will address the different areas you need to consider and tackle.

We’re also running a series of roadshows across the country, with contributions from PwC experts, to cover the information governance and process issues and complement the technology story which will be told by our CTO, Paul Burns.

So, as a final note for this post, it’s important to understand that the work required to comply with GDPR should have a very beneficial side-effect: it’s likely that you’ll get to know your data – and your customers – far better than before and if you can harness valuable insights then, rather than being a burden, GDPR could result in a ‘win-win’.