Will you be amongst the 50% not compliant under GDPR?

Gartner Analysts have predicted more than 50% of companies affected by GDPR will not be fully compliant by the end of 2018.

When GDPR goes live on 25th May 2018, businesses will face fines of up to £16m or 4% of global turnover, for non-compliance. Many businesses aren’t aware of the changes to the law let alone how they should prepare for them.

Gartner have given their top 5 recommended actions you should take, to help get you up to speed with GDPR requirements. If you would like to discuss any of these points in further detail, then contact Metaphor IT today where we can arrange to have one of our consultants go through this with you.

You can also apply for our GDPR readiness assessment where you will receive a report with actions and recommendations along with a road map to success.

Gartner’s 5 Focus Points:

  • 1. Determine your role under the GDPR

    Any organisation that decides on why and how personal data is processed is essentially a “data controller.” The GDPR applies therefore to not only businesses in the European Union, but also to all organisations outside the EU processing personal data for the offering of goods and services to the EU, or monitoring the behaviour of data subjects within the EU. These organisations should appoint a representative to act as a contact point for the data protection authority (DPA) and data subjects.

  • 2. Appoint a data protection officer

    Many organisations are required to appoint a data protection officer (DPO). This is especially important when the organisation is a public body, is processing operations requiring regular and systematic monitoring, or has large-scale processing activities. “Large scale” does not necessarily mean hundreds of thousands of data subjects.

  • 3. Demonstrate accountability in all processing activities

    Very few organisations have identified every single process where personal data is involved. Going forward, purpose limitation, data quality and data relevance should be decided on when starting a new processing activity as this will help to maintain compliance in future personal data processing activities. Organisations must demonstrate an accountable ground posture and transparency in all decisions regarding personal data processing activities. Outside parties must also comply with relevant requirements that can impact supply, change management and procurement processes. It is important to note that accountability under the GDPR requires proper data subject consent acquisition and registration. Prechecked boxes and implied consent will be largely in the past. A clear and express action is needed that will require organisations to implement streamlined techniques to obtain and document consent and consent withdrawal.

  • 4. Check cross-border data flows

    Data transfers to any of the 28 EU member states are still allowed, as well as to Norway, Liechtenstein and Iceland. Transfers to any of the other 11 countries the European Commission (EC) deemed to have an “adequate” level of protection are also still possible. Outside of these areas, appropriate safeguards such as Binding Corporate Rules (BCRs) and standard contractual clauses (i.e., EU “Model Contracts”) should be used. EU-based data controllers should pay specific attention to new mechanisms under the GDPR when selecting or evaluating data processors outside the EU and ensure appropriate controls are in place. Outside of the EU, organisations processing personal data on EU residents should select the appropriate mechanism to ensure compliance with the GDPR.

  • 5. Prepare for data subjects exercising their rights

    Data subjects have extended rights under the GDPR. These include the right to be forgotten, to data portability and to be informed (e.g. in case of a data breach). If a business is not yet prepared to adequately handle data breach incidents and subjects exercising their rights, now is the time to start implementing additional controls. Metaphor IT’s Managed Security Service can provide your business with capabilities to be able to monitor, detect, respond and adapt any data breaches that may occur and ensure you are compliant under GDPR.

Metaphor IT have a range of technology solutions available to help your business stay compliant under the new regulations. Contact us today to find out more.