Checklist For GDPR Compliance – Are You Ready?

The General Data Protection Regulation (GDPR) requires compliance. It accounts for all the data protection responsibilities that your organisation needs to consider. It is essential to consider all aspects of the GDPR and be able to understand your role in it. It will impact those who are controllers of data and those who are processors of data. Here is a vital GDRP checklist to help understand the compliance needed for customers or prospects.

Your GDPR checklist

1. Conduct a data audit

It is important to be fully aware of the way data is used in and around your business. Information audits are a way of gaining in-depth knowledge about data, and how you can identify risks. The risks may include; how, how long, and where information is held or transferred. It can also categorise the data and determine any sensitive information. Think of it like producing a map of data flows and highlighting strengths and weaknesses that help your business.

2. Keep a record

Keeping a record of the data is crucial. There needs to be well-maintained reports detailing processing activities. This will allow GDPR compliance to be managed efficiently. Completing an Information Asset Register is wise. This details the assets, what they do, locations, owners, access, retention, and other aspects of data protection.

3. Understand the law

Be aware of the lawful basis of the personal data that you process. The majority of the legal basis for processing data requires the process to be deemed necessary. If you can achieve the job without processing the data, then it is not considered a necessity. If the purpose of handling the data changes, make sure this complies with the regulation.

4. Ensure consent

Make sure you know the consent process, and how you request permission. Consent is vital as it is a legal requirement. The permission for data needs to be obvious, clear, and in a place that is apart from your terms and conditions. Consent must be via an affirmative opt-in method, and easy to understand. The individuals whose data you are handling need to know precisely what will happen to it and that withdrawal is allowed at any time.

5. Make withdrawing records easy

Keep records of consent helps to meet high GDPR standards. Records will often have to include how you obtain consent, and when. As well as this, organisations should implement regular reviews of approval to make sure it is still appropriate. It should be easy to withdraw consent, and you should act on withdrawals promptly. No one should feel as though he or she cannot remove consent.

6. Show your commitment to privacy

Privacy notices should be prominent, and readily available. This allows the individual whose information is being controlled to know who has their data, why, and what will happen to it. Privacy notices need to be in a language any individual can understand, and in a place that is easily accessible.

The responses to queries about data protection need to be met quickly and have a procedure to deal with it in motion. It is recommended to have timescales for responses, and training for staff to be able to manage responses and meet the needs of the data owner.

7. Data disposal

Allow for a method of removal and deletion. Make sure that there is a process in motion for the elimination of information when the time for retaining the records is over. It is helpful to set up a procedure for information deletion requests, and those who will assist in the disposal of the data. The contract must include measures for this.

8. Review your policy

Your business must hold, monitor and review a thorough data protection policy. This will allow for security maintenance, and whether the policy is being implemented efficiently. The plan needs to be managed, published, and distributed to all of its staff. It will need to be reviewed to make sure it is still relevant and is still an effective policy.

9. Perform a DPIA

As well as your policy, you should review your data collection and storage. This will identify ways of reducing the amount of data that needs collecting and processing. This may also include a review of how the process takes place, and if any features of the process need to be updated, or anything that requires further analysis. Performing a Data Protection Impact Assessment (DPIA) will help minimise the privacy risks that could you could avoid during processing unnecessary information. Hefty fines can be a result of a poorly conducted DPIA.

10. Appoint a DPO

Assign a Data Protection Officer (DPO), and train staff in the necessary aspects of the GDPR. The DPO will have to have communication with the businesses Information Commission Officer (ICO). This individual will be responsible for the designation of data protection accountability.

Awareness of information security must be upheld at all times, with careful consideration of all aspects of risk. This will include issues such as data sharing abroad, such as in and around the European Economic Area. Not only this but reviewing and managing the security within the technology itself.

Get your checklist ticked

If your business needs support with getting GDPR off the ground, then speak to the experts at Cyan Solutions who can help to prepare your business and help you to achieve GDPR compliance. For friendly, professional advice, get in touch with the team today.

The Financial Impact and Gains Of GDPR

The General Data Protection Regulation (GDPR) has taken four years of negotiations and debates, and the finalised legislation will come into place on 25th May 2018. As a business, the topic on everyone’s mind is how much is GDPR going to cost me? Looking at the cost vs gain of implementation, we have outlined what you could lose for non-compliance against what you can gain from being prepared for the EU’s newest law.

Breach charges

The most obvious way to be financially affected by the GDPR is through non-compliance. As it stands in Paragraph Five of Article 83 in the GDPR official document, the cost for breaching any of the legislation is a maximum of €20 million or 4% of the total worldwide annual turnover of the preceding financial year; whichever is higher.

While it is not currently known how high the actual fines for breaches will be, it is assumed that the initial infractions will set a precedent for continued charges. It is highly likely that the EU will implement high penalty to present a clear fight against non-compliance.

In the UK, the recorded highest fine for a data breach was given to telecommunications company Talk Talk. Talk Talk were fined for their violation of data over 150,000 customers names, addresses, dates of birth, phone numbers and email addresses as well as thousands of customers bank details and sort codes. In this instance, the cost for the telecommunications company was £400,000.

While it is not currently known the intended outline for breach charge levels, starting the legislation with a strong message of control seems to be the aim of the GDPR regulators.

Impact of reputation

While a data breach is considered the highest financial impact of non-conformation to GDPR, it is essential also to consider the cost impact for a bad reputation. With modern technology, customer-effecting incidents rarely stay out of the news. While all eyes will be on the implementation of GDPR, it will not be long to discover which companies are not complying from the onset.

In regards to the Talk Talk breach mentioned earlier, it is estimated that they lost 101,000 customers and suffered non-fine related costs of £60 million. Despite the violation happening in 2016, the company is still considered inferior to its competition; with a considerable amount of that falling to customers trust. It can take a long time for companies to earn trust and just seconds to cause irreparable or long-term damage.

The financial gain of GDPR

While many businesses are worried about the initial costs, in regards to time, resources, equipment and training, it is always important to remember the financial benefit that can be reaped from a well set up, maintained and in-house regulated policy.

Running costs

Many international companies invest considerable funding for country-specific officers in charge of monitoring the company’s data protection and liaising with government officials to ensure they are regularly updating and monitoring accordingly. Having an EU-wide policy will enable organisations to have less staff working on the data protection side as there is now only one regulation for all. This opens up opportunities for companies to deploy personnel to excel other aspects of the business.

Having one, firm legislation that is operated by all companies also means that costs of training new employees will be reduced as organisations can set up one business-wide GDPR training system.

It may be assumed jobs will be lost from the lack of need for country appointed government liaisons. However, employees with this background and understanding can successfully be deployed to a data protection officer (DPO), or monitoring role. These members of staff are the SMEs and the trainers who can reduce the costs for training new employees on the difference between the old and new legislation and how they affect the business in-house.

Reputation 2.0

As previously discussed, the negative impacts of reputation are critical contenders in the cost element of GDPR; however positive reputational results are essential to consider when looking to

reap financial gain. Customers are going to be using their research to find out which companies they can trust, and this will be reflected by the publication of data protection procedures and how prepared a company is to comply.

For your business, you can show your customers and prospects that their trust and your compliance is at the top of your priorities. Ensuring there is a clear outline, readily available to customers highlighting how you as a business intent to not only comply to GDPR standards but also how you intend to keep your customers well informed and protected will assist in boosting reputation for the company in comparison to competitors.

Reap the rewards today

As GDPR comes into legislation on 25th May 2018, there is no time to waste. It is important to ensure you are prepared well in advance and have spent enough time broadening your knowledge on the topic to ensure there are no nasty surprises. To make sure you are ready, get in touch with the experts at Cyan Solutions today to provide your business with the tools you need to see the benefits of GDPR.

What You Need To Know About GDPR: 6 Key Principles

What is GDPR?

Formulated over a total of four years, the General Data Protection Regulation (GDPR) has been developed in order to monitor and regulate the new ways that consumer data is used in an ever technologically advancing world. Replacing the 1995 EU Data Protection Directive, it is designed to implement the stricter regulation, as well as hefty fines of non-compliance and breach of data, and give consumers more control on how their data is stored and distributed by companies.

Principle One: Compliance and company-customer honesty

Any data shared with a company by a customer is still lawfully owned by the customer. GDPR is designed to help customers sharing data stay in-the-know about what happens with their data and offers the ability to review it. For businesses, the processing they describe must match what they have outlined as their objective. Stricter monitoring of this means that any organisations breaching contracts between themselves, customers and the EU regulators will face higher fines and harsher repercussions.

Principle Two: Purpose limitations

The initiation date in May 2018 brings in new rules in relation to the reasoning for obtaining data. Outlined in the official document, personal data may only be collected for ‘specified, explicit and legitimate purposes’. This means that customers consenting to a company holding their data cannot have their data used for marketing, consumer research or third-party distribution. Removing the clauses allowing organisations to use the submitted data in deceiving ways allows for a higher level of privacy and control over what is happening with your personal information.

Principle Three: Relevance

Where a customer would once supply a considerable variation of their personal information to allow businesses to have full records, the new legislation controls companies from obtaining any data that they do not explicitly need. Anything not relevant to the process the data is required for must either never be obtained, or removed to ensure it complies right from the beginning of the legislation.

Principle Four: Accuracy

If a company intends or requires holding customers information for a considerable length of time, they now must ensure that not only does it meet a 100% accuracy rate, but also that it is regularly updated to make sure it is up to date. Periodically checking the accuracy of the data is a secondary way to ensure that what is being stored is still relevant and required for the practice in motion. Developing a successful method for managing and storing data also assists in consumer protection against identity theft.

Principle Five: Limitations

Ensuring that identification of data subjects is monitored and regulated allows for businesses to regularly review the need for specific data. Applying company based compliance settings on how long a consumers data can be obtained without regular review or use is a sure-safe way to ensure GDPR is always being applied and avoiding stern charges and repercussions. Also, checking the finality of deleted data is a safe way to protect a company from any negative consequences, as well as protecting the customer from the dangerous distribution of their information or identity theft.

Principle Six: Security

While a business may be maintaining strenuous legislations about the removal and relevance of consumer data, it is important to remember the importance of an air-tight security management system. Security is essential to ensure third parties cannot enter the system and obtain information that a company could be held liable for distributing. Employee confidentiality, two-step computer systems are locked, and remote storage are just three of the ways as a business you can ensure the protection of a consumers data, and your own licences.

Think about your clients

Consumers will be aware of the implications of GDPR and will know what to look for when assessing your business. It is worthwhile considering the customers perspective to make sure your GDPR system is compliant in their eyes.

Consumer safety measures include;

• Terms and Conditions – Does your business make your terms and conditions as well as data opt-in readily available?

• Requesting deletion – How will your business handle requests and cater to customer needs. What is the timescale for removal and how can errors be avoided in this situation?

• Rights – Customers may ask for clarification on your policy to ensure you are a trustworthy business. Can your organisation provide the knowledge and peace of mind that the customer is looking for?

If you need help addressing any GDPR concerns, then get in touch with the IT Solution experts at Cyan Solutions. The team can help you to implement the necessary GDPR measures to ensure your business remains competitive, successful and compliant.

How GDPR affects charities

In addition to understanding the General Data Protection Regulation in businesses, it is also essential to understand the role of the GDPR in non-profit organisations. Any organisation that will hold personal data will need to comply with the new GDPR. The new regulation can be an opportunity for charities to rethink the way they store data, and whether or not the processing of sensitive data is effective. There are a several ways the GDPR might affect the way charities manage data and consider their current processes.

Volunteers

The information about volunteers and the training they receive should be just as employees, and this might result in a processing rethink. An audit is a preferred method of beginning to prepare for the GDPR. This will identify what information you hold, the place of origin, and where you will use that data.

The audit will provide a basis for what needs to be done to comply. The location of the information is essential, as well as the length of retention, and most importantly the risks associated with holding the data. These are all things that might need reconsidering; it may be worth following best practice in business to make sure non-profit organisations comply with GDPR.

Volunteers should also have the necessary and sufficient training for GDPR. This will include making sure there have refresher training sessions to keep data protection issues at the forefront of staff minds. Training can consist of training on transferring data securely and the importance of complex and regularly updated passwords. Any policies that you create as a result of the GDPR need to be distributed, and these policies need to be fully understood.

Individual consent

The individuals whose data you hold need to be able to provide explicit and educated consent. The information about consent will need to be separated from the terms and conditions and will need to be presented in a way that the individual can fully understand. Approval must be actively acquired and reviewed to ensure understanding and avoid miscommunication. Information about what data you store about an individual must be easy to find, and always present.

Consent will cover the donors as well as individuals that your charity helps.

Encrypted technology

Ensure that all technology used to store personal data is secure and encrypted. This should include hard drives and memory sticks. Encrypting technology can avoid data breaches, and protect the data of the individual, as well as protecting the charity.

Charities may need to include in their budget the scope for enhanced IT solutions, to make sure all of the technology they use complies with the necessary regulations. At Cyan Solutions, we can help to ensure you have the right IT solutions in place that will conform to the essential requirements.

The Data Protection Law Is Changing: What Does Your Business Need To Do?

Coming into force on the 25th May 2018, the General Data Protection Regulation (GDPR)will mean businesses have to adhere to new rules for managing personal data set by the European Parliament and European Council.

GDPR will be binding and enforceable. With the threat of hefty fines for non-compliance, here is our simple guide to what your business needs to know and act on before this crucial deadline.

Why is GDPR important?

With cyber security threats increasing, there has been increasing focus on safeguarding personal information. It is a strict privacy law that offers potentially worldwide benefits and peace of mind to individuals who share their data. By protecting data, you can protect your business from a potential exploitation, attack or data breach which can significantly damage your organisation and its reputation.

Does GDPR affect my business?

If your business processes personal data for any individuals who live within the EU, then your business must adhere to the regulation. Even if your business is based outside of the EU, if you have personal data for anyone within the EU, the regulation still applies. If you are in the UK, despite Brexit looming, it is likely that the UK will continue to maintain this regulation. So, it is best to act now to avoid potential fines from next year.

What personal data is applicable?

Personal data is considered any information that may identify a person. Direct and indirect data collection applies. Some of the information that’s subject to GDPR regulation includes;

  • A subject’s name
  • Email address
  • Social media posts
  • Bank details
  • Medical records
  • IP addresses
  • Mobile phone IDs
  • Genetic information
  • Biometric data
  • Fingerprints
  • DNA samples
  • GPs

In fact, anything that can physically, mentally, economically, genetically, physiologically, culturally or socially identify an individual must be considered.

Even if your business does not keep data, you may still be liable to follow GDPR regulations if you process information on behalf of another business, agency or individuals. You can find out more from the Information Commissioners Office.

How can my business comply with GDPR?

It is wise for businesses, individuals and agencies which fall into the category of data controllers or processors to have access to an appointed person who has data protection knowledge and understands what to do to comply with data protection law.

For larger organisations, GDPR may enforce you to have an appointed Data Protection Officer. For smaller teams, it may be beneficial for data protection to be a part-time role. Alternatively, it may be worth using a consultant with expert knowledge to help your organisation to achieve compliance and maintain good practice standards.

What measures can my business take to improve data protection?

There are many ways that businesses can increase their security measures which, in turn, will help to adhere to GDPR regulations. Considerations for your business and its security include;

  • How can you make document management more secure?
  • Is your user identification sufficient?
  • Is your data encrypted?
  • Can you improve data overwriting or automatic deletion processes?
  • How can you protect your business from malware?

With GDPR coming into force, now is a perfect time to consider the accuracy of the information you have, how accessible it is as well as the storage and retention policies.

What happens if my business does not comply with GDPR?

Should there be a data breach or your business is found to be non-compliant, the penalties are serious. A severe issue could lead to a fine of €20 million or 4% of your annual global turnover, whichever is greater. Fines can be less and will depend on the severity of the breach. What’s important is that this is a situation that is not taken lightly and investing in compliance could save your business in the future.

How can Cyan Solutions help?

With expertise in information technology, we can empower your business not only to understand the new GDPR regulation, but we can also enable your business to achieve and sustain compliance.

If you want to find out more about how we can help to support your business with GDPR compliance, get in touch for friendly, expert advice.