GDPR preparation: 2018 data protection changes

Changes to data protection rules will have major implications for your business

Your GDPR preparation timeline

One of the primary challenges for small businesses when facing GDPR compliance is budget. As Clearswift's Dr Guy Bunker pointed out before GDPR came into effect, you now have approximately two years to get compliant so if you start allocating budget this year, you can split the cost down the middle by spreading it over the two-year period.

However you arrange your budget, Dr Bunker advised small businesses need to have been ready six months ahead of the GDPR-compliance deadline, so there's a buffer in place to accommodate the hitches that will appear along the way. Here's what you need to have been doing and when.

First 6 months: If your organisation has more than 250 employees, then you'll need a data-protection officer (DPO). If you don't already have one then this post should be filled sooner rather than later, so that they can be involved in the journey towards compliance.

6 -12 months: Work out where new procedures need to be introduced, such as security and breach notification. You should aim to get this in place early, so you have plenty of time to disseminate new policies and test new processes around your business.

12 - 18 months: Start conversations with suppliers and data processors to discover how they'll protect your information and respond to requests for data deletion. Look at tools to help in discovery, especially for "right to be forgotten" requests, which need to be done in the next two years.

A risk-based approach to the rules

Over the past six months, we have had a lot of official guidance for SMEs to come from national bodies such as the Information Commissioner's Office. This has helped clarify and dictate the detail of what specific industry sectors must have done to be GDPR compliant.

Before GDPR came into effect, we had asked Christine Andrews, managing director of data governance, audit and consultancy firm DQM GRC for her advice, which still applies today and should be carried out immediately if businesses have yet to become fully GDPR compliant. 

"First, organisations need to evaluate the personal data they have," she told us. "Categorise the data so you're clear where the personal and sensitive data resides, and where other, less important data sits in the company. Usually, drafting a data map will help businesses to understand the pattern of data through the company, provide clarity on who has eyes on the data, indicate what skills these people have and, finally, highlight where the data ends up.

"Once organisations understand just what personal data they're holding, they should then ensure that regular risk assessments are completed, in order to understand the level of threat imposed on the company when processing data.

"The GDPR, in fact, demands a risk-based approach with the development of appropriate controls. This should, in a single stroke, ensure that management recognises the dangers associated with the loss, misuse, theft or any other compromise of customer data. For organisations that pass data onto others, there is a tendency to presume that third parties operate to high standards of data security and protection. The GDPR now requires controllers to obtain sufficient guarantees of this before engaging with processors.

"Basically, as the data owner, you must check that the organisations you're working with have effective technical and organisational measures in place to ensure the security of the processing."

WATCH: Learn more about the security threats facing businesses today and how to combat them in this free webinar WATCH NOW

Featured Resources

Navigating the new normal: A fast guide to remote working

A smooth transition will support operations for years to come

Download now

Leading the data race

The trends driving the future of data science

Download now

How to create 1:1 customer experiences at scale

Meet the technology capable of delivering the personalisation your customers crave

Download now

How to achieve daily SAP releases

Accelerate the pace of SAP change to support your digital strategy

Download now

Most Popular

Unilever adopts Google Cloud’s complex data processing for conservation drive
big data analytics

Unilever adopts Google Cloud’s complex data processing for conservation drive

22 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020