07th June 2017
Our Principal Consultant, Tim Cowland explains about the new regulations coming to the UK.
What is GDPR?
The General Data Protection Regulation, also known as GDPR, is a new rule coming into force in the UK on May 25th 2018. Designed to give people greater control over their personal data, it has huge ramifications for business compliance. The Regulation is an update to the Data Protection Act 1998 and impacts upon all businesses dealing with personal data.
What are the timescales?
The clock is ticking now. All businesses will be required to comply with the Regulation by May 2018. Many will have started the process already by following the steps mentioned below. However, if you haven’t, it’s not too late!
What does it mean for businesses?
The key changes to businesses are that there is now a broader definition of personal data meaning more careful consideration is required when processing data. There are also more demanding rules for gaining a person’s consent to process their data and there needs to be a greater level of transparency, accountability and auditability. Organisations need to build in Data Protection by design, which means that how personal data is processed needs to be considered in all that they do, including the planning of any new projects. There are also new rules as to how data breaches need to be notified.
What do you need to do? Our six point plan.
If you haven’t yet started the journey towards GDPR compliance, we would recommend following these 6 steps:
- Appoint someone who is responsible for achieving compliance before the deadline. This journey needs to be treated as a project which will impact upon many different parts of the business, so good communication and engagement is key.
- Conduct an audit of data, processes and security so you have a good understanding of the current position and where you need to focus your efforts to achieve compliance.
- Ensure staff awareness is maintained at all levels of the organisation and at all stages of the process. Attention needs to be especially focused on those who are directly responsible for processing personal information.
- Review and amend policies and procedures to makes sure they reflect any changes to how data is processed, how data subjects are treated and how you deal with any breaches / data loss. A big part of the new Regulation is being able to demonstrate that you have the necessary procedures in place and that these have been communicated and followed.
- You should build data management into your processes to ensure that you have a good handle on the data you hold, where it comes from, who you share it with and how long you will be keeping it for. You will also need to seek assurances from software application providers that their software supports compliance.
- Check that the way in which you gain consent from data subjects meets with the new GDPR requirements.
How can Sovereign assist?
As a well-established business consultancy with many years’ experience in supporting business with Data Protection compliance, effective data management and information security best practice, we are ideally placed to support you in meeting the May 2018 deadline. Specifically;
- We can manage the whole process in your behalf using our proven project management methodology. This would involve assigning a dedicated project manager who would oversee the steps necessary and provide regular feedback to your management team as the project progressed.
- We are able to provide an overall audit of your data and processes to provide a roadmap for compliance.
- We have experienced trainers who are able to provide high level awareness training for management teams through to detailed practical training for frontline staff.
- We can assist with the development of new policies and procedures to ensure they are fully compliant with the new Regulation.
- We are able to offer a ‘Virtual Data Protection Officer’ who can be responsible for the on-going compliance with the Regulation after May 2018.
- Sovereign operates a Tier III standard data centre from our offices in North London. This data centre is ISO27001:2013 certified, meeting stringent data security requirements and allows customers to store the data they hold in a safe environment, so as to provide a greater degree of reassurance against a malicious attack / data theft.