Get Ready for GDPR: A Seven Point Action Plan

Posted 07/12/17

There is no escaping the General Data Protection Regulation Directive (GDPR). Brexit or not, it will become UK law, via a new Data Protection Act, on 25 May 2018.

As a result, you can expect to see the current steady stream of scare stories become a torrent in the new year, as the deadline for compliance looms and businesses large and small scramble to be ready.

But it doesn’t have to be like that.  Taking action now, to start the process of understanding what GDPR means for you and your business and begin putting in place the systems and processes you need to comply, can make the whole thing a lot less painful.

That said, it’s only fair to point out that those scare stories are not totally without foundation. For instance, GDPR will usher in fines of up  to €20m or 4% of global turnover, whichever is greater – figures that far, far exceed the current maximum of £500,000.  Meanwhile, according to Marsh’s Global Cyber Risk Perception Survey, less than a third of all firms are ready for GDPR, and 55% of smaller firms have ‘no plan’ for GDPR compliance. 

In that context, some twitchy reporting in the press is not a huge surprise.

So what can you do to kick start the process of GDPR compliance?

Here’s a seven point action plan:

  1. Understand how GDPR affects your businesses:  According to the Information Commissioner’s Office, "If you are currently subject to the Data Protection Act, it is likely that you will also be subject to the GDPR."  That said, exactly how you will be affected depends on the data you collect, from whom and how it is used and stored  so start by understanding GDPR and what it means for you.  You can read Wired’s guide to GDPR here.
  2. Communicate with colleagues:  Make sure everyone in the business understands the impact of GDPR and what it means and the potential impact
  3. Review the data you hold: Make sure you know exactly what personal identifiable data you collect and store, and the lawful basis on which you do it - do you have permission from those whose data you hold? Why are you holding it and for what purpose?
  4. Check your policies:  In fact, check that everything from privacy notices, policies and procedures, to any other documentation you use is compliant with the new requirements.
  5. Secure your data:  Review and ideally stress test your security arrangements and have plans in place to detect, report, and investigate data breaches.
  6. Assess your staff needs:  Work out whether you need to appoint or hire a data protection officer.
  7. Consider specialist insurance: Cyber  insurance [LINK TO ARTICLE] isn’t fundamental to GDPR compliance, but it might help to shield you from some of the financial and reputational consequences if you one day fall foul of the new rules due to a cyber related incident.

Posted 07/12/17

Latest News from Ashley Page

Have you fallen in to the ‘average price’ trap?

18th July 2018

It’s rare that blocks of flats look the same from the outside or inside - so why would they be valued the same using average rates?

Get Ready for GDPR: A Seven Point Action Plan

7th December 2017

There is no escaping the General Data Protection Regulation Directive (GDPR). Brexit or not, it will become UK law on 25 May 2018.

5 Reasons to Consider Cyber Insurance Cover

1st December 2017

For businesses of all sizes, the risks posed by cyber related incidents are real. Now is the time to think seriously about specialist cover.