+44 (0)207 839 1980

contact@nucleus-cf.co.uk

7 Steps to Prepare Your Business for GDPR

You will struggle to find a business that is not implementing last minute changes with the impending General Data Protection Regulations (GDPR) deadline fast approaching.

GDPR are predominantly being introduced to ensure that businesses are now accountable for breaches and loss of data, which means that organisations are not only expected to implement better security features, but that they must also take the time to educate themselves on how hackers operate, too.

By the 25th of May, all new regulations will be in place, meaning that the way personal information is handled by organisations will change indefinitely.    

Given the fact that this is the biggest shake-up to data privacy in twenty years, the changes are not going to be small ones, either… The new regulations will have far reaching consequences and they will impact the ways in which organisations get access to, store and use personal data.

Organisations have just under a month to ensure they are GDPR compliant and that will mean that they need to review the steps they have currently taken in preparation, to guarantee that all boxes are ticked come the 25th.

The team at Nucleus Commercial Finance thought it would be a good idea to put together a brief guide on GDPR and how organisations can comply with it properly.
 
  1. Educate Yourself and Others
The most important thing with the new GDPR is understanding exactly what they are so you can ensure you are implementing all the expected changes correctly.
Making sure that your organisation is as ready as it can be for the EU’s huge data privacy shake-up will mean that the transition will run smoothly.

All senior management within your organisation will need to know exactly how things are going to change and must be aware of the risks of failing to comply.
Additionally, everyone in your organisation that deals with data processing will need to not only know, but more importantly, understand their new obligations.
Failing to follow regulations can have huge repercussions for organisations, including fines up to 4% of global turnover or £20 million (whichever is greater).
 
  1. Review Privacy Rights
The new laws mean that data subjects have a number of rights relating to the way organisations collect and store their data. These include the following:
  • The right to access
  • The right to be informed
  • The right to data portability
  • The right to restrict processing
  • The right to rectification
  •  The right to object
  • The right to erasure
 
Your organisation should not be too taken aback by these rights, as the majority of them are similar to the ones that already exist within current data protection laws. But, it is crucial that you and your colleagues familiarise yourselves with the changes so that you can put plans in place to adapt.
 
  1. Appoint A Data Protection Officer
The GDPR state that some organisations must have a data protection officer (DPO) on board, who will oversee all of its data protection strategies. The appointed data collection officer will also be responsible for overlooking an organisations compliance programme.

The appointed DPO will also need to act as a point of contact for supervisory authorities, as well as individuals whose data is processed.
Whilst it is not necessary for all organisations to appoint a data protection officer, it is recommended that all organisations do so anyway. If your organisation strives to meet best practice guidelines, appoint a DPO regardless.
 
  1. Learn Everything You Need to About Legal Grounds
There are 6 lawful grounds for processing personal data under the new GDPR and after the May deadline, all organisations must meet one of those conditions if they process Personally Identifiable Information (PII). Failing to do so will result in hefty administrative fines.

Not only that, but organisations will then have to demonstrate that they have a lawful ground to process data.

Currently, the majority of organisations use consent by default, but the GDPR will tighten the reins regarding this most popular choice of lawful ground.
Check out what The GDPR Guys have to say about it and double check that you have legal grounds for processing personal data.
 
  1. Consent – Know Exactly What Is Meant by The Term 
Whilst consent is often the most appropriate lawful ground, an organisation can no longer refer to this one by default without knowing exactly how it needs to be obtained.

When the GDPR come into effect, all organisations will need ‘explicit consent’ to carry out certain forms of data processing. Similar to the current regulations for obtaining consent, but with no room for error – explicit consent means that consent can only be acquired when it is provided in a clear statement, be it written or spoken.

It is also vital to add here that the GDPR clearly state that children cannot give lawful consent whatsoever because they “may be less aware of the risks, consequences and safeguards” of sharing data.
 
  1. Promote Accountability
The GDPR include requirements that actively promote accountability and list ways in which organisations can do just this.

The Data Protection Commissioner’s (DPC) have suggested that all organisations put together an inventory of all the personal data they store. Using this inventory, organisations should scrutinise all data they have using the questions below:
  • How did you obtain it?
  • Why was it initially gathered?
  • What are your reasons for holding it?
  • Is the data secure, in terms of encryption and accessibility?
  • For what time period will you retain it?
  • Does your organisation ever share it with third parties? If yes, under what circumstances would it do so?
 
  1. Be Prepared
One of the best things any organisation can do to transition through the GDPR is to plan for data breaches. Failing to plan is planning to fail, after all.

Perhaps the biggest obstacle that arrives alongside the GDPR is its data breach notification requirements. For those organisations or individuals who are not yet fully aware, as of May 25th, every single organisation must, without fail, report any data breach to their supervisory authority within 72 hours of discovery. Organisations will be required to provide as much additional detail as possible alongside the report.

If you feel that you do not completely understand all the changes being introduced by the GDPR, you can opt to work with experts that do. Working with experts who will help support your business is one of the best decisions a business owner can make.

There are hundreds of fantastic Cybersecurity firms out there that are waiting to collaborate with you, should you need it. Not only that, but they will also be able to evaluate your current security measures and advise on what needs to be done to be in full compliance with the new regulations.
 
 
Ultimately, this new shake-up is a good thing. A really good thing, in actual fact. Finally, there has been the long-awaited wake-up call for data security. So many are surprised that it has taken this long as the world has been a technologically driven one for years.

With the new GDPR comes a renewed comprehension of exactly what it means to live in a world so motivated by technology and electronic communication. People are now realising that their personal data is both valuable to themselves, but others too.

Thanks to the new laws on data protection, the data we share every day with organisations such as retailers, banks and hospitals, will hopefully no longer fall into the wrong hands.
Fraudsters and marketing companies, to name just a few, have been able to access a lot of data for years, but the new regulations will ensure that organisations do comply and respect our data privacy rights, once and for all.

Awards / Accreditations