GDPR preparation: 2018 data protection changes

Changes to data protection rules will have major implications for your business

Your GDPR preparation timeline

One of the primary challenges for small businesses when facing GDPR compliance is budget. As Clearswift's Dr Guy Bunker pointed out before GDPR came into effect, you now have approximately two years to get compliant so if you start allocating budget this year, you can split the cost down the middle by spreading it over the two-year period.

However you arrange your budget, Dr Bunker advised small businesses need to have been ready six months ahead of the GDPR-compliance deadline, so there's a buffer in place to accommodate the hitches that will appear along the way. Here's what you need to have been doing and when.

First 6 months: If your organisation has more than 250 employees, then you'll need a data-protection officer (DPO). If you don't already have one then this post should be filled sooner rather than later, so that they can be involved in the journey towards compliance.

6 -12 months: Work out where new procedures need to be introduced, such as security and breach notification. You should aim to get this in place early, so you have plenty of time to disseminate new policies and test new processes around your business.

12 - 18 months: Start conversations with suppliers and data processors to discover how they'll protect your information and respond to requests for data deletion. Look at tools to help in discovery, especially for "right to be forgotten" requests, which need to be done in the next two years.

A risk-based approach to the rules

Over the past six months, we have had a lot of official guidance for SMEs to come from national bodies such as the Information Commissioner's Office. This has helped clarify and dictate the detail of what specific industry sectors must have done to be GDPR compliant.

Before GDPR came into effect, we had asked Christine Andrews, managing director of data governance, audit and consultancy firm DQM GRC for her advice, which still applies today and should be carried out immediately if businesses have yet to become fully GDPR compliant. 

"First, organisations need to evaluate the personal data they have," she told us. "Categorise the data so you're clear where the personal and sensitive data resides, and where other, less important data sits in the company. Usually, drafting a data map will help businesses to understand the pattern of data through the company, provide clarity on who has eyes on the data, indicate what skills these people have and, finally, highlight where the data ends up.

"Once organisations understand just what personal data they're holding, they should then ensure that regular risk assessments are completed, in order to understand the level of threat imposed on the company when processing data.

"The GDPR, in fact, demands a risk-based approach with the development of appropriate controls. This should, in a single stroke, ensure that management recognises the dangers associated with the loss, misuse, theft or any other compromise of customer data. For organisations that pass data onto others, there is a tendency to presume that third parties operate to high standards of data security and protection. The GDPR now requires controllers to obtain sufficient guarantees of this before engaging with processors.

"Basically, as the data owner, you must check that the organisations you're working with have effective technical and organisational measures in place to ensure the security of the processing."

WATCH: Learn more about the security threats facing businesses today and how to combat them in this free webinar WATCH NOW

Featured Resources

The definitive guide to warehouse efficiency

Get your free guide to creating efficiencies in the warehouse

Free download

The total economic impact™ of Datto

Cost savings and business benefits of using Datto Integrated Solutions

Download now

Three-step guide to modern customer experience

Support the critical role CX plays in your business

Free download

Ransomware report

The global state of the channel

Download now

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

17 Sep 2021
What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

17 Sep 2021