In December the European Union finally agreed on data protection laws that will remove patchwork rules that had been in place since the 1990’s.
As big data use becomes more prevalent the need to provide proper regulations has also increased and the potential for fines of up to 4% of global revenue are designed to severely punish those companies that breach the regulations.
It should be noted that despite the increased pressure on businesses to comply with regulations and the strict punishments, the General Data Protection Regulation is a good thing. It significantly reduces the complexity and costs related to complying with 28 different sets of rules and should make reporting a lot simpler.
Although the rules don’t come in to practice until 2018 it is necessary for business to plan ahead. With this in mind, CBR has compiled a list of best practices that should be undertaken to make sure that you don’t fall foul of the regulations.
1. Know where your data is
Those that are in charge of your data will have to ensure that personal data which is moved or processed outside the EU complies with the GDPR.
This is an extremely important element, it means that US companies will also be hit by this, say for example Facebook takes data from Spain and analyses the data in its US datacentres, this is still covered by the GDPR and Facebook will have to follow the same rules as everyone else.
Fail to follow the rules and a hefty fine will be heading their way.
2. Know what you can do with it
It’s important to know how exactly you can use the data that you have; understanding what is personal data and what is sensitive personal data is a must.
Sensitive personal data that can inform you of a person’s ethnicity and medical information has a higher level of protection and so it is important to obtain even your employee’s consent to keep it.
The GDPR underlines the privacy of personal data so from its implementation businesses will have to build ‘privacy by design’. This means that data must be gather with explicit rather than assume consent.
It also means that data can be withdrawn by people, so you can’t just accumulate data and store it away forever, you must have a policy for disposing of it.
3. Remind your staff of the rules
Potentially the weak leak in any operation, just look at some of the big data breaches that have happened because a person forgot to patch something or didn’t password protect their files.
A breach can happen but there shouldn’t be any excuse for neglecting the data privacy rules.
Whether you hold refresher sessions that train staff on the rules or perhaps outline the rules on posters around the office; it’s important to make sure the staff understand what the rules are and why they are important.
One of the reasons why they are important to the staff is that they could well lose their job if they are negligent.
4. Address your data collection policy
This is vitally important, you need to know what it is you can collect and who from. You may not necessarily need to employ a data protection officer but you will need the right resources in order to deliver the necessary change, which may include training existing staff.
Privacy should be at the forefront of business decisions, which may require changing processes.
David Smith, deputy commissioner and director of data protection, ICO, said: "Are you reviewing the personal data you hold, and why you hold it, to ensure that you can meet the requirement for ‘data minimisation’? Do you know what a privacy impact assessment is? Have you used one yet?"
5. Report a data breach
This is an important new element of the regulation that means that companies must report a data breach so having the correct breach management plans in place are vital.
You don’t just have to inform the local information commissioner, you have to have a policy in place for informing the victims of the breach.
Organisations will have 72 hours to report a data breach from the point of which it is discovered and while you may think you avoid a fine if you don’t report, this will actually just make it a lot worse.
Breaches of data protection will hit the business with fines of at least two percent of global turnover or one million Euros, whichever is greater. This is only for the most serious examples of breach and fines resulting to compliance failures haven’t been explained.
However, you can probably expect them to be quite severe due to the level of punishment related to a data breach.