GDPR preparation: 2018 data protection changes

Changes to data protection rules will have major implications for your business

Your GDPR preparation timeline

One of the primary challenges for small businesses when facing GDPR compliance is budget. As Clearswift's Dr Guy Bunker pointed out before GDPR came into effect, you now have approximately two years to get compliant so if you start allocating budget this year, you can split the cost down the middle by spreading it over the two-year period.

However you arrange your budget, Dr Bunker advised small businesses need to have been ready six months ahead of the GDPR-compliance deadline, so there's a buffer in place to accommodate the hitches that will appear along the way. Here's what you need to have been doing and when.

First 6 months: If your organisation has more than 250 employees, then you'll need a data-protection officer (DPO). If you don't already have one then this post should be filled sooner rather than later, so that they can be involved in the journey towards compliance.

6 -12 months: Work out where new procedures need to be introduced, such as security and breach notification. You should aim to get this in place early, so you have plenty of time to disseminate new policies and test new processes around your business.

12 - 18 months: Start conversations with suppliers and data processors to discover how they'll protect your information and respond to requests for data deletion. Look at tools to help in discovery, especially for "right to be forgotten" requests, which need to be done in the next two years.

A risk-based approach to the rules

Over the past six months, we have had a lot of official guidance for SMEs to come from national bodies such as the Information Commissioner's Office. This has helped clarify and dictate the detail of what specific industry sectors must have done to be GDPR compliant.

Before GDPR came into effect, we had asked Christine Andrews, managing director of data governance, audit and consultancy firm DQM GRC for her advice, which still applies today and should be carried out immediately if businesses have yet to become fully GDPR compliant. 

"First, organisations need to evaluate the personal data they have," she told us. "Categorise the data so you're clear where the personal and sensitive data resides, and where other, less important data sits in the company. Usually, drafting a data map will help businesses to understand the pattern of data through the company, provide clarity on who has eyes on the data, indicate what skills these people have and, finally, highlight where the data ends up.

"Once organisations understand just what personal data they're holding, they should then ensure that regular risk assessments are completed, in order to understand the level of threat imposed on the company when processing data.

"The GDPR, in fact, demands a risk-based approach with the development of appropriate controls. This should, in a single stroke, ensure that management recognises the dangers associated with the loss, misuse, theft or any other compromise of customer data. For organisations that pass data onto others, there is a tendency to presume that third parties operate to high standards of data security and protection. The GDPR now requires controllers to obtain sufficient guarantees of this before engaging with processors.

"Basically, as the data owner, you must check that the organisations you're working with have effective technical and organisational measures in place to ensure the security of the processing."

WATCH: Learn more about the security threats facing businesses today and how to combat them in this free webinar WATCH NOW

Featured Resources

How to choose an AI vendor

Five key things to look for in an AI vendor

Download now

The UK 2020 Databerg report

Cloud adoption trends in the UK and recommendations for cloud migration

Download now

2021 state of email security report: Ransomware on the rise

Securing the enterprise in the COVID world

Download now

The impact of AWS in the UK

How AWS is powering Britain's fastest-growing companies

Download now

Recommended

NSA releases guidance on voice and video communications security
Voice over Internet Protocol (VoIP)

NSA releases guidance on voice and video communications security

18 Jun 2021
Ransomware criminals look to other hackers to provide them with network access
ransomware

Ransomware criminals look to other hackers to provide them with network access

17 Jun 2021
CVS Health data breach leaves a billion records exposed
data protection

CVS Health data breach leaves a billion records exposed

16 Jun 2021
Four in five ransomware victims suffer repeat attacks
ransomware

Four in five ransomware victims suffer repeat attacks

16 Jun 2021

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

16 Jun 2021
Q&A: Enabling transformation
Sponsored

Q&A: Enabling transformation

10 Jun 2021
Ten-year-old iOS 4 recreated as an iPhone app
iOS

Ten-year-old iOS 4 recreated as an iPhone app

10 Jun 2021