Get Ready for GDPR: A Seven Point Action Plan

Posted 07/12/17

There is no escaping the General Data Protection Regulation Directive (GDPR). Brexit or not, it will become UK law, via a new Data Protection Act, on 25 May 2018.

As a result, you can expect to see the current steady stream of scare stories become a torrent in the new year, as the deadline for compliance looms and businesses large and small scramble to be ready.

But it doesn’t have to be like that.  Taking action now, to start the process of understanding what GDPR means for you and your business and begin putting in place the systems and processes you need to comply, can make the whole thing a lot less painful.

That said, it’s only fair to point out that those scare stories are not totally without foundation. For instance, GDPR will usher in fines of up  to €20m or 4% of global turnover, whichever is greater – figures that far, far exceed the current maximum of £500,000.  Meanwhile, according to Marsh’s Global Cyber Risk Perception Survey, less than a third of all firms are ready for GDPR, and 55% of smaller firms have ‘no plan’ for GDPR compliance. 

In that context, some twitchy reporting in the press is not a huge surprise.

So what can you do to kick start the process of GDPR compliance?

Here’s a seven point action plan:

  1. Understand how GDPR affects your businesses:  According to the Information Commissioner’s Office, "If you are currently subject to the Data Protection Act, it is likely that you will also be subject to the GDPR."  That said, exactly how you will be affected depends on the data you collect, from whom and how it is used and stored  so start by understanding GDPR and what it means for you.  You can read Wired’s guide to GDPR here.
  2. Communicate with colleagues:  Make sure everyone in the business understands the impact of GDPR and what it means and the potential impact
  3. Review the data you hold: Make sure you know exactly what personal identifiable data you collect and store, and the lawful basis on which you do it - do you have permission from those whose data you hold? Why are you holding it and for what purpose?
  4. Check your policies:  In fact, check that everything from privacy notices, policies and procedures, to any other documentation you use is compliant with the new requirements.
  5. Secure your data:  Review and ideally stress test your security arrangements and have plans in place to detect, report, and investigate data breaches.
  6. Assess your staff needs:  Work out whether you need to appoint or hire a data protection officer.
  7. Consider specialist insurance: Cyber  insurance [LINK TO ARTICLE] isn’t fundamental to GDPR compliance, but it might help to shield you from some of the financial and reputational consequences if you one day fall foul of the new rules due to a cyber related incident.

Posted 07/12/17

Latest News from Ashley Page

Hotel Franchises & Cyber Attacks: Who is responsible for cyber security measures?

20th March 2019

In this post we outline everything you need to know about cyber attack liability as the owner of a hotel franchise.

The Biggest Risks to Hotel Cyber Security

27th February 2019

Each data collection point has its own unique vulnerabilities, meaning that there is a larger and more broad risk unique to the hospitality sector.

Data Breaches By Numbers: 3 Key Statistics Every SME in the Retail Industry Needs to Know

27th February 2019

Each data collection point has its own unique vulnerabilities, meaning that there is a larger and more broad risk unique to the hospitality sector.

The Biggest and Most Frequently Occurring Cyber Incidents

27th February 2019

As we move further into the digital age, there are more and more ‘breeds’ of cyber attack creeping up on us.