A lot was written about the impact the EU General Data Protection Regulation (GDPR) would have in the weeks and months leading up to May 25th 2018, the date when the new regulation would come into effect. According to a recent survey however, an eye-watering 60% of organisations were due to miss the deadline and are struggling to understand their responsibilities and implement technical controls to ensure compliance a month after it came into effect.
The new regulation is not only broad and far-reaching in what it pertains to, but comes with some very sizable fines should an organisation, or person, be found to be uncompliant. Given the greater public awareness of their rights under the new guidelines, on top of the seriousness of the potential penalties–€20 million or 4% of annual worldwide turnover, whichever is greatest–there can be no doubt over how seriously organisations need to take their compliance.
It is not only EU organisations that are affected, any organisation that has any presence in the EU, including EU based customers visiting overseas websites, must demonstrate compliance with the new regulation.
With 99 articles in this sweeping legislation to understand and act upon, it’s easy to see why some organisations are struggling to meet these demands, even since the deadline has passed, however, there is still time for those yet to take action to act
GDPR, like the previous EU Data Protection Directive of 1995, is an act that seeks to protect the personal and sensitive data of individuals. Obviously, the previous Directive did not include or consider the use of data by companies and organisations outside of the EU or personal identifiable information from online sources, such as cookies and IP addresses, as it came into force before technology had become so sophisticated.
The greatest changes that you should be aware of are that individuals have the right to know how their data is handled, stored and regulated as well as having the right to be forgotten by an organisation.
Essentially what this means is that the onus is no longer on the individual to keep track of what data they provided and to which companies. It is on the organisation itself, or ‘data processor’ to know where and how this information is stored and used at all times, to clearly inform the user, and to have the ability to remove all trace of the individual upon request.
The regulation is now in force across the entirety of the EU, including the UK after it leaves in the EU in 2019, aiming to provide a clear directive for all organisations to follow across countries and borders.
The other area it looks to cover is that of cyber-security, which is a rising concern for all individuals and companies as the frequency and severity of cyber-attacks continues to rise. The heavy financial penalties that can be levied also apply to a breach of data protection, not just non-compliance. Under the new regulation, organisations have 72-hours to report a data breach and notify data subjects without ‘undue delay’.
Whilst compliance can feel like a minefield, what is clear is that GDPR compliance must be taken seriously by all concerned. This absolutely has to include the board of every organisation.
For a long time, directors have often turned a blind eye to areas they deem ‘not within their expertise’, however GDPR will certainly change this approach. A recent survey conducted by law firm Fox Rothschild found that only 14% of companies reported that they train their directors on cybersecurity issues. This figure has to change for everyone’s sake.
GDPR regulations inform organisations, over 250 FTE, that a Data Protection Office’ must be appointed, and there is a growing movement that suggests this should be a board-level position, however finding someone with the skills to mitigate financial, IT, legal and compliance issues is not an easy task.
Any director should also be aware that any action by either the board as a whole, or by an individual member, that is found to be culpable of fault in a data breach could face criminal charges. Even if criminal charges are not pressed, their actions could result in the termination of their position.
As a director, it’s not only the parent company’s compliance that should concern you. Every subsidiary needs to be compliant, as well as any potential acquisition your organisation may make. The due diligence around any acquisition or merger now must include a GDPR compliance check and strict scrutiny of their data protection controls and procedures.
Whilst the deadline may have passed, it’s never too late to start working on your compliance program. The first step any organisation needs to take is to designate someone responsible for data privacy as the Data Protection Officer.
The biggest change that some organisations may face however is an acceptance from current board members to acknowledge that cyber security issues are a matter for the board. Given the importance of data protection and cyber security post-GDPR deadline, expect to see a shift in the background of directors appointed in the months and years to come.
The easiest way to ensure your whole organisations understands the importance of this as well as their responsibilities is to foster a transparent attitude to data protection from the top down.
eShare’s online board portal, BoardPacks, has been enabling boards to tighten their information security for nearly 15 years. With ISO27001 certification across the entire organisation, eShare guarantees the protection of your board’s sensitive data, whether in the boardroom, or out of the office working remotely via mobile device.
Giving all your directors access to the information they need to know about your GDPR policies in one place, makes it much easier for them to find the information they need and ask the right questions when it is discussed.
For administrators, BoardPacks makes it easy to correctly assign and change permissions, and to see who has access to what information.
With the help of our interactive risk heatmap feature, directors can stay on top of risks more easily as well as demonstrating transparently once an issue has been resolved and storing this resolution securely and easily for any future audit. Ensuring compliance may cause headaches, but once compliance has been met, demonstrating this clearly and efficiently should not cause further issues.
With data centres both in the UK and in mainland Europe, eShare are perfectly positioned to ensure your continued compliance, wherever your organisation is based in Europe, even after the UK officially leaves the EU in 2019.
If you would like to arrange a free demonstration of BoardPacks or receive more information about our data security measures, please contact us today for a no-obligation consultation.