A Beginners Guide to GDPR
On May 25th, 2018 the deadline for GDPR compliance came into effect. GDPR, or General Data Protection Regulations were made to unify data protection rights for users, and strengthen them in the process. All organizations MUST follow the rules. This is to protect all the personal data held by them as a corporation. Some of the things GDPR protects is supplier data, customer data, employee data, and data relating to the members of the public. Any data a company processes will go through this system, and you need to make sure that everything you do follows the GDPR.
What Happens if you Don't Follow GDPR?
Ok, so we know why you need to follow the GDPR, but what happens if you don't? Simply put, expect some huge fines if you don't follow the rules and regulations of GDPR. The general fine is up to 20 MILLION dollars, or 4% annual gross turnover, whichever is greater. Obviously, for most companies, a fine like that would be devastating, is it worth the risk to do not do anything?
Common GDPR Mistakes
There are a few mistakes a lot of organizations are making that are within the GDPR rules. A large amount of companies are not identifying the entire amount of personal data they have. This falls under the rules of GDPR. Organizations need to realize that the rules are not just for employee files, email address, and customer information. The rules also cover online use, recordings, anything you have on a cloud database, photographs, and much more. It is important to be very diligent and be educated in what the GDPR rules all cover. Small details are just as important. Rules covering the collection, sharing, and length of time you have data are all covered by the GDPR, and as a business, it is your responsibility to make sure you are always compliant.
One of the big changes the GDPR brought about is the need for organizations to be accountable for keeping documents and a paper trail of everything they do when processing and accessing any personal data. Most companies most likely are not documenting the activities to the extent they need to be under the GDPR. This is something you should be taking care of immediately as a company.
The Effect of GDPR on Organizations
How will the GDPR affect my organization as a whole? There are many things to keep in mind when doing anything that is in relation to GDPR procedures.
What are you doing with the marketing data you already have? Does it comply with the new stricter laws that are now in place?
Does your company share data globally?
Does the entire staff understand the new GDPR rules, and are they going to follow them to the same extent you are?
Are you aware of Data Protection Impact Assessments, and have you used them before adding a CCTV recording or anything else that processes data on a large scale?
Where to Start with GDPR?
With so many rules under the GDPR it can be overwhelming to start making sure you are compliant. The best way to start is to do a data mapping exercise. That way you can identify all the sources of personal data you have within your company, how it is used and to what extent, and who has access to it. There are consulting firms that can do this for you, typically through a simple questionnaire you can fill out so they understand your company better, and then they use that information to do a complete analysis of your company. Alternatively, you can use a GRC tool such as StandardFusion to help identify these sources, and perform an impact assessment. While these solutions do have a cost, it is much less expensive than a potential fine down the road.
The GDPR is very extensive, very detailed, and very serious. If you have a company that stores ANY type of personal data, you must make sure you are compliant. The GDPR is already considered the law, so you have no time to waste. On top of keeping yourself safe from fines, you are doing your employees and your customers a service by keeping their data safe.