The C-suite guide to GDPR: what you need to know

By Robert Half 25th August 2017

The General Data Protection Regulation 2018 (GDPR) deadline is less than a year away. It will completely change the way businesses deal with data and requires in-depth assessment of processes and internal systems. Despite this, many are still not ready for it.

A recent GDPR survey showed that 31% of organisations thought they were already compliant, when in reality, only 2% of them were. Research by Kaspersky has also revealed that just 38% of IT decision-makers have a good working knowledge of GDPR. When the penalties for non-compliance are so high, both in terms of customer trust and fines incurred, there’s no room for complacency.

The complexity and time-consuming nature of GDPR preparation cannot be underestimated by businesses. Our general data protection regulation summary will help you gain a good understanding of the regulation itself and its potential affects, so you can plan more effectively.

What is GDPR?

The EU general data protection regulation was formed by European Parliament. It was four years in the making and was finally announced on April 14th last year, giving all businesses two years to become fully compliant.

The aim of the regulation is to protect the privacy of EU citizens and their data. They will now have the right to exert greater control over how their personal details are stored and used, and can ask for it to be erased immediately under their “right to be forgotten”.

The potential general data protection regulation fines for non-compliance is 4% of a company’s global revenue. A general data protection regulation timeline, among other initiatives, will help you reach compliance in time to avoid any penalisations.

Who does the GDPR apply to?

Organisations that process, store or use the data of EU citizens will be affected by the regulation. This extends beyond customer data and also includes data held on employees. Non-EU organisations that have employees or customers within the EU will also find that they are affected by GDPR.

The operational impact of GDPR

The new EU data protection regulation will have a considerable effect on day-to-day business, and its impact will differ team to team and project to project. Here are some of the potential issues you may need to be aware of.

Human Resources
The storage of employee and candidate data will have to change to become compliant with the European general data protection regulation. This includes implementing a process in which employee consent is sought for the collection and storage of their personal details. The new regulation will also affect how candidate CVs are collected and stored.

After May 2018, all employees will have the right to ask for their details to be deleted from the company system—this means implementing new software which makes it easy to find all data and erase it quickly.

Marketing
Sales and marketing teams typically rely on data to drive campaigns and will need to seek out more explicit, expressed consent before using information deemed ‘sensitive’. The future of data-driven marketing will ultimately rely on a clean list of ‘opt-in’ individuals.

Finance and accounting
Due to the large quantity of data they handle, the finance and accounting department will become a huge area of focus for any GDPR project. Automation and a solid data breach escalation process are two of the best ways to remain compliant in this particular department.

IT and technology
Digital transformation or automation projects may be affected by the new regulation in terms of the value it can bring to employees or business initiatives. The IT department will also be key in implementing systems for better data security and storage.

Legal
Although data privacy and compliance tends to regularly affect day-to-day operations within the legal team, they’ll now find that contract management and client/supplier negotiations need more regulation and should be reassessed before the deadline.

6 steps to prepare your business for GDPR

Experts at global consulting firm, Protiviti, believe that the best starting point is a top-down approach which aims to assess the most high-risk areas of the business with a GDPR checklist. This can be done using a Data Protection Impact Assessment (DPIA), something which is required by the GDPR itself.

  1. Start by identifying large quantities of sensitive personal information that the company holds, and data which the organisation holds, uses or sells that the customer may not be aware of.
  1. Assess the personal data that each team comes into contact with and how this can be accessed, stored and erased safely and securely.
  1. Review your privacy policy—will it need revisions or need to be more explicit?
  1. Look at how you currently seek consent for data use (internally and externally) and assess whether it needs updating.
  1. After the DPIA, businesses will have a far better understanding of which area of the business and which departments and processes will be affected and can create a compliance project plan.
  1. Once your compliance project is complete, run through your DPIA checklist again to make sure everything has been covered off.

If you need to source additional talent to help implement your DPIA or GDPR compliance project, contact the Robert Half team today. We can help you secure quality professionals for interim, temporary or permanent positions so you can move into 2018 safe in the knowledge that your business is ready for the future of data protection.

Tags

More From the Blog...