Guest Blog by Mike James
The General Data Protection Regulation (GDPR) is a set of rules that will come into force on the 25th May 2018. Designed to addresses a number of issues regarding the collection, storage, use and protection of personal data, almost every business across the UK will need to follow the regulation.
So if you have your own business or you are responsible for any kind of personal data within a company, ensuring compliance with the new GDPR rules needs to be one of your top priorities. Here are five challenges that you might face as you attempt to become compliant.
1. Ensuring data is protected
One of the most shocking facts about UK businesses is that that more than 50 per cent of them have experienced some form of cybercrime. The majority of this actually hits small businesses, 66 per cent of which have seen cyber-attacks in the past two years. While this is bad for the companies themselves, it can be catastrophic for the people whose data is stolen. So when the GDPR rules come into force, companies will need to have far stronger and broader protection methods to ensure that any personal data stored by the business is secure. This might involve hiring a cyber-security expert for your IT team or working with an outside agency that specialises in cyber defences.
2. Gaining consent
Personal data has a huge value in the modern world with IP addresses, demographic details and email addresses regularly being used to market directly to individuals. For a long time companies have been able to collect and use customer and staff data without a great deal of regulation – this is something the GDPR looks set to change.
Legislators have decided that a major part of the GDPR should revolve around the importance of gaining genuine consent to use personal data. Many companies currently use phrases similar to: “by using our service, you agree to our terms and conditions” as a way to gain soft consent for the use of data. But under the new rules this won’t be acceptable, and companies must gain unambiguous, informed consent for the use of personal data.
3. The need to notify
As has already been mentioned – data breaches on businesses caused by any kind of cyber-attack are taken very seriously by the GDPR. Companies will now be required to inform relevant authorities within 72 hours of being made aware of the breach. In serious and high-risk cases, companies will also need to inform any individual affected by the breach.
This means that not only will companies need to overhaul their cyber security to ensure they have encompassing protection and detection techniques, but changes will also need to be made to data storage. Companies will need to have full and easy access to personal data records, so customers can be easily contacted in the event of a breach.
4. Updating internal data protocols
One of the overlooked challenges relating to the GDPR is the fact that it relates to internal staff data as well. Just as with customer data, businesses will now be required to gain far more specific consent regarding data that they can collect from their staff, as well as how they will use this data. Once again, the reliance on ambiguous or broad phrasing will no longer be an acceptable way to gain consent.
Some businesses that rely on larger numbers of freelance or short-term staff may have challenges in this regard. It may no longer be acceptable to hold onto the personal data of former employees without previously gaining consent to do so.
5. Providing adequate staff training
Finally, it should be noted that companies will need to provide their team with guidance and training to ensure that everyone is conforming to the new rules. There is a temptation to assume that the GDPR can be dealt with purely through your IT team but this will only lead to problems. For example, if you have a customer services team they will need to be given training on how to gain consent to use customer data to ensure that they are complying with regulations.
Additionally, as mentioned above, the HR team will need to understand how the rules surrounding their role have changed.