Accountability and governance
Under GDPR, the significance of accountability and governance principles will be elevated. Companies will be responsible for how they collect, store and use personal data, including having in place data protection policies and impact assessments, in addition to having relevant documents on how data is processed.
To demonstrate that they have complied with these principles, firms should take the first step of communicating these new policies and systems to staff through comprehensive training in business practices, protocols and internal procedures.
Companies will also be responsible for reporting personal data breaches to the Information Commissioner’s Office (ICO). In recent years, high-profile household names across multiple sectors, including banking, telecoms, professional services, leisure and retail, have put their employees and customers at risk with pertinent information, including names, addresses and personal credentials, stolen in a security breach.
Under GDPR, a data breach is more than just losing a customer’s personal data. It is defined as the “destruction, loss, alteration, unauthorised disclosure of, or access to, personal data”. Notification of breaches become mandatory in cases where the breach is likely to “result in a risk for the rights and freedoms of individuals”.
Article 33 states this should be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach.
As companies will now be responsible for data security, all stored data should be reviewed for obsolete and duplicated information. Businesses should also be proactive by preparing a contingency plan for a possible data breach and continuously review organisational practices to not find themselves implicated for being non-compliant.
According to consultancy KPMG’s Government’s Cyber Governance Health Check 2017, over two thirds (68 per cent) of FTSE 350 boards have not received any training to deal with a cyber incident, showing just how unprepared many of the world’s largest firms currently are for a deadline that is quickly approaching.
Additionally, Article 37 discusses the designation of a data protection officer in the case where companies have "regular and systematic monitoring" of individuals at a large scale or process a lot of sensitive personal data. To manage this requirement, a third-party system should be considered for those firms who do not have the resources to introduce a compliance or data officer role.
The conditions for consent have been strengthened, and under Article 7, consent should be “clear and distinguishable from other matters and provided in an intelligible and easily accessible form”, and there ought be some form of clear ‘affirmative action’, meaning an opt-in rather than an opt-out. If your business relies on individuals’ consent to process their data, now is the time to begin securing their approval and to validate that you have received it prior to GDPR coming into force.