From May next year the new European Union General Data Protection Regulation (GDPR) will change the way businesses and public-sector organisations handle data. The deadline is looming and the threat of huge fines for non-compliance is pushing organisations to act quickly. So what are the most important things you should be doing now to get GDPR ready?
The new regulation will, in essence, form a more comprehensive extension of the data protection acts we already have. With the ever-increasing threat of cyber attacks and several high-profile security breaches already recorded this year, the need to protect personal data has never been greater.
A pressing problem for most businesses is where to start with GDPR, if they haven't already, when they don't even know what data they currently have or how they are handling it.
The even bigger question most organisations will face is who will actually handle this mammoth task: bearing in mind that some newly mandated roles will also come with legal responsibilities that could entail prison sentences for failure or negligence.
What are your current capabilities?
It is important to look internally and assess what your organisation's current capabilities actually are. The first step is to run an internal audit. In some organisations the responsibility for GDPR will sit with the legal team.
However, with most it will be in the hands of the information security function or a designated Data Protection Officer. Either way these departments will need to have knowledge of the new regulation and the growing power to take on the work load.
Get the right people in
Once you have a good understanding of any gaps in your resources it is then advisable to seek help from specialist suppliers who are engaging with the challenge of GDPR. Resourcing suppliers with specialisms in IT and cyber security should have the capabilities to source either an individual or an entire team who have the ability to handle GDPR from the outset, without further training or investment.
We have already been approached for a number of permanent and contract roles across a huge range of commercial sectors including financial services, consultancies and SME's.
These positions have been anything from entirely GDPR specific hires, to blended positions which will encompass the demands of GDPR alongside other responsibilities.
Seeking an experienced supplier who is already actively sourcing candidates for roles like this is essential when finding the appropriate blend of experience and business acumen to do the job. It will pay off massively when it comes to finding the right person.
Have you sought business buy-in?
A key challenge for anyone working in this area is advocating a change in behaviours. In order for organisations to successfully adhere to GDPR everyone within the company needs to be fully on board with what impact this will have to the business and to their daily routine.
To prevent any resistance to the work that needs to be done, education and awareness as well as collaboration between business units are essential to the program. In some organisations this has resulted in ‘GDPR Champions'; individuals who sit within different areas of the business to pioneer the strategy and serve as a point of contact for that function.
However you choose to do it, looking at ways you can raise business understanding of what they are doing and why is an essential step to making the process between now and May 2018 a much less smoother road.
Mary Worthington is a cyber security specialist at Sanderson Plc
Nintendo plans to manufacture up to 30 million Switch consoles next year
Kaspersky no longer legal on US public sector networks
Not even masses of patches for Adobe Flash this month
Joint venture mended following sale of Toshiba Memory Corporation to Bain-led consortium