GDPR stands for General Data Protection Regulation. The fines for a breach? 20 million euros or four percent of a company’s turnover. That penalty is avoidable and clearly undesirable, so acting as early as possible will best position your SME to conduct business within the remit of legal practice.
With legislation set to be in place by May 25th 2018 it’s important to recognise the impact that this will have on your business. One of the most prominent misconceptions is that GDPR will just be enforced on the largest multinationals, however, this is not strictly true. Companies will have to be compliant, regardless if you know what that looks like yet or not.
Insight 1: GDPR is an EU based initiative, however, will still be applied in the U.K. once Brexit is invoked.
Matt Hancock the UK’s digital Minister had this to say on the 22/March/2018 on the topic of Brexit and GDPR:
“There is clearly huge benefit for both the rest of the EU and the UK in having a strong, rich and deep relationship in terms of how data are transferred, but as the evidence of the past few days has shown, that must be done on the basis of strong data protection. That is why we have the Data Protection Bill before the House, and why we think that the GDPR is a good measure that we will not only implement but implement in full, and we will make sure that we have that relationship in the future.” (source: Parliament.co.uk)
This means that if your SME operates in Britain and across the EU you will not be exempt from compliance with new legislation.
How can my business become GDPR compliant?
Clear Strategy has developed a framework (which we will discuss further in later posts) to assist and guide your SME through this stage of a companies journey. You are the expert on your business, so stay at the helm and run its operations. Preoccupation and concern with GDPR is noted as a huge headache for SMEs (Survey Source) directors and senior management, regardless of their region. The best method to ensure success and instil confidence and belief among your team and clients alike is to incorporate the frameworks from those whose full-time focus and research is to align SME operations with GDPR.
Insight 2: In many instances, a DPO (Data Protection Officer) appointment will be required.
The WP29¹ considers the necessary DPO skills and expertise to include expertise in national and European data protection laws and practices including an in-depth understanding of the GDPR;
- Understanding of the processing operations carried out;
- Understanding of information technologies and data security;
- Knowledge of the business sector and the organisation;
- Ability to promote a data protection culture within the organisation.
The role of the DPO may be contracted out to an external service provider and, where it is, the DPO may be a natural person or a legal person (e.g., a limited company).
For more information and clarity regarding this feel free to contact our GDPR specialist team at info@clearstrategy.ie.
GDPR Broken Down
In its most accessible, and summarised, format GDPR can be grouped into 4 categories
- Comprehensive understanding of data in your possession and transparency when using it.
- Empirically clear consent for data usage
- Data Security. Requiring GDPR compliance for all companies that operate within your supply chain.
- Facilitating user Requests to retrieve and deletion their data.
These four aspects of business strategy and operations are central to the efficient framework developed by the team at Clear Strategy who make GDPR their personal business.
Insight 3: GDPR is not retrospective
GDPR is currently within a phasing in period until May 25th 2018 when it becomes enforced. As it is not retrospective breaches of GDPR before this date will not be penalised, however, illicit activity can and will be from May 25th onwards.
As discussed GDPR is coming into effect as of May 25th 2018. The facts are apparent, the consequences laid out, but how do you put into place actionable compliance mechanisms? SMEs need to immediately internally evaluate all operations related to, and interacting with, client and users data and set to align these with incoming legislation.
Where to start?
At Clear Strategy we have outlined 5 steps for SMEs to bring them from a no knowledge GDPR position, to a fully compliant and protected enterprise, all the while maintaining previous operational efficiency throughout.
Review
Review all facets of client facing and interaction points of your business. Simply speaking if your business acquires personal data to generate user accounts, process payments, send promotional material or even tracking CPCs (cost per clicks) through a web page and much more, you’ll need to evaluate your data protection mechanisms and examine the new data usage parameters.
Clear strategy makes this simple. We utilise a robust process of internal surveys, combined with our scoring algorithm to present a GDPR readiness level to clients. Upon reviewing this it is unequivocally apparent where efforts need to be focused in order to prevent forthcoming penalisation.
Evaluate
The ‘Maturity Assessment’ model introduces stage two, the evaluation phase. The Evaluation stage gathers all data and results from the ‘Review’ phase and provides insight to clients and Clear Strategy showing where immediate actions are needed.
Action
These metric’s results allow us to take efficient and correct actions working to solve your issues with bespoke solutions, providing tailored advice to clients, from hands-on DPO (data protection officer) position assignment or training, to ad hoc consultancy and advice. Clear Strategy put the metrics in place with the prioritisation of tasks in standardised form and assistance to complete them.
Results
The results of putting the previous stages into action is that your business will be aligned with GDPR legislation alleviating you from the risk of fines. However, there are notable lapse points in the future, thus one must maintain the modus operandi throughout the lifetime of the business. Clear Strategy works with companies before, during and after May 25th to ensure all facets of the business operations are sustainable and resilient to the effects of daily changes in a business. This can involve drawing up process mapping documentation for new employees, as well as setting out clear attainable information for each client’s customers.
It’s imperative that GDPR is embedded into all business practices, this is at the forefront of Clear Strategy’s focus. Clear strategy ensures ongoing compliance for a more efficient organisation
Going forward
A lot of organisations have survived the GDPR transition to date, however, the true measure or real test is yet to come. Transitioning from a compliance program to business as usual, will be a challenge. New business processes that have been put in place will act as a true measure of GDPR compliance.
We structure our DPO services into three distinct phases, each phase having a particular focus on specific activities. Clear Strategy’s significant experience in Data and Information projects, and Process Improvement projects in addition to our custom-built GDPR artefacts proves very beneficial in helping our customers transition to ‘business as usual’.