SlideShare a Scribd company logo

GDPR: Time to Act

C
Cathy Gilmartin

This may feel like a long way off but the obligations on businesses are onerous and the time to prepare is now. The hefty fines that GDPR promises will come into force immediately so businesses are being given plenty of warning to put procedures in place to ensure they are compliant with the regulation. Read this essential guide to getting GDPR ready.

Technology
1 of 5
Whitepaper GDPR: Time to Act e. hello@novi.ie t. +353 (0) 1 621 8633 novi.ie Technology for Business 25th May
e. hello@novi.ie t. +353 (0) 1 621 8633 novi.ie The EU GDPR (General Data Protection Regulation) comes into law on 25th May 2018. This may feel like a long way away but the obligations contained in the regulation are onerous and businesses need to be getting ready now! The regulation will be applicable immediately once the date arrives so businesses are being given plenty of notice to get systems and processes in place so that they are compliant. So what’s the GDPR all about? The GDPR introduces stricter data protection rules for organisations that operate in the EU market and process or hold the personal information of EU citizens. The GDPR is designed to increase the privacy of individuals and protect their personal data. Hefty penalties may be laid on companies who experience data breaches, with applicable fines of up to €20m or 4% of global annual turnover, depending on which is greater. Businesses are well advised to begin now (if you haven’t already started!) putting in place procedures and systems that ensure compliance and protection against potential data breaches. As cyber criminals get smarter and find more and more ways to hack into companies’ databases, the risk of a breach is increasing all the time. Unprotected companies are not only risking their reputation with their customers but when the GDPR comes into effect they will also be liable to hefty fines in the event of a cyber-attack on their data. What are the implications for my business? The GDPR places onerous obligations on companies to demonstrate compliance, requiring them to: 1. Maintain certain documentation 2. Conduct a data protection impact assessment 3. Implement data protection by design 4. Prove clear consent to process personal data 5. Appoint a Data Protection Officer for large scale data processing In the event of a data breach businesses must notify the Data Protection Authorities within 72 hours. All companies will have to adopt internal procedures for handling data breaches. These requirements are applicable to any sized business that processes personal data for a commercial purpose, from a sole trader to an SME to a multinational. Don’t make the mistake that this won’t apply to your business because of size, turnover or amount of data held. SMEs and smaller business are expected to manage their data flows and processes to the same extent as larger companies. Whilst some areas of the regulation recognise that SMEs have fewer resources and reduced capabilities and may well pose less of a risk to the privacy of EU citizens, SMEs still can’t do nothing. They too have to address the conditions of the regulation and become compliant in as far as is possible. Does my business need a Data Protection Officer (DPO)? One of the major changes that the GDPR will introduce is a change to how organisations manage their internal governance around personal data. The requirement for a Data Protection Officer was originally restricted to companies with 250+ employees. The final version has no such restriction and companies are left with the responsibility of deciding themselves whether or not the requirement for a DPO applies to them. Given the hefty fines involved if an organisation fails to meet this requirement, this is a daunting consideration. GDPR: Time to Act 25th May Technology for Business
e. hello@novi.ie t. +353 (0) 1 621 8633 novi.ie So what factors do you need to consider to determine if you need to appoint a DPO? The GDPR states that any company engaged in ‘large scale’ data processing must appoint a DPO. The question that many companies are asking is: what constitutes large scale? To reach an answer, companies need to look across their organisation at the data that they are collecting, storing and processing. They must assess this data in terms of volume and scope, including its geographic reach, the duration it is held and whether it is of a personal or sensitive nature as regards ethnicity, religious views, health or criminal convictions. It is also important to consider whether or not the processing of the data constitutes a core activity in their business and if monitoring of this data is regular and systematic. A good example, in terms of the scale of data processing, is the data held by an individual GP or small GP practice as opposed that held by a hospital. In this case both meet the requirement in terms of the personal nature of the information held, but clearly the hospital would be large scale and the GP not large scale. Another example would be a large insurance company where the capture and processing of personal data such as financial information would be a core activity versus an independent broker where it would also be a core activity but not on a large scale. Also consider an online retailer that captures financial and address information regularly and systematically versus a company that maintains an email mailing list and only holds email addresses and names captured in an ad hoc nature. Simply put, currently the criteria for a dedicated DPO is somewhat unclear. Companies need to show discretion in their decision as to whether or not to appoint a DPO while also showing caution to avoid the risk of significant penalties. Remember that your understanding of “large scale” doesn’t necessarily match that of the Data Protection Authorities. If you are unsure about appointing a DPO it would be advisable to take advice from a company offering GDPR consultancy. Of course, it has always been, and remains, good practice to have someone in your organisation with responsibility for handling Data Protection issues. Is ‘large scale’ relative to overall company size or to the scale of data processing within the firm? The purpose of the GDPR is to enforce greater privacy and protection of personal data for the individual. If companies are capturing and processing significant amounts of data on a large number of individuals then this constitutes large scale data processing, regardless of the size of the company in terms of either profitability or employee numbers. IS GDPR only for B2C? What are the consequences for B2B companies? Although B2B companies may not capture and process an individual’s data on as significant a scale as some B2C companies, the GDPR still has consequences for them. Most B2B companies will undertake email marketing as a way of reaching out to prospects. Under current law, you can send an unsolicited email to an individual’s work email address unprompted, once you have an option to unsubscribe. Under GDPR you will need their prior consent and furthermore, must be able to show proof of consent. You will also be required to delete their data 25th May Technology for Business GDPR: Time to Act
e. hello@novi.ie t. +353 (0) 1 621 8633 novi.ie after a set period of time under the ‘right to be forgotten’ directive contained in the GDPR. This and other requirements, such as ensuring opt-in forms and processes are compliant and consistent across the organisation, now means that B2B companies need to look at their current data governance function and adapt it to ensure compliance. B2B companies are also as open to a data breach as any other organisation. In the event that they fail to report a breach, or are found to be lacking in their cyber-crime prevention strategy, they will face the hefty penalties laid out by the GDPR. What’s the big danger for Irish SMEs? The big danger for Irish SMEs is complacency and ‘it won’t happen to me’ thinking. We see this regularly in relation to cyber security – SMEs thinking that cybercrime is reserved for bigger organisations. SMEs can’t afford to think that they won’t be subject to the GDPR rules or held accountable for any breach of these rules. The reality is that this law will be wide reaching and enforced with rigour, and SMEs will have nowhere to hide should they be negligent in enforcing its requirements. SMEs would be well advised to start preparing for the arrival of the GDPR now, specifically in relation to the implementation of data protection and cyber-crime prevention solutions. In order to avoid GDPR penalties, SMEs must have their data well protected with robust, fail-safe security solutions and procedures in place. What should I do next? Inform your team – Make sure you raise awareness internally of the change in the law. Identify the key people in your organisation that can assist in the journey to compliance and enlist them on the project. Data review and audit – Conduct an internal review and identify where data is held, e.g. HR records, supplier contracts, financial records. Review how data is processed and who has access to it. Document all the findings. Review your internal processes – Review your privacy notices and data collection processes to ensure they cover all the rights an individual has, especially around consent to collect and hold their data. Adopt privacy by design – Document and implement methods to ensure that data protection becomes a key component of the internal processes of the company and is seen to be a key consideration in the early stages and throughout the lifecycle of any project. Appoint a Data Protection Officer – Consider appointing someone within your organisation to take responsibility ongoing for data compliance and protection. Secure your data – Put systems in place to protect your data from a security breach. Map technology to the processes required to ensure compliance on an ongoing basis. Work with a cyber security solutions company who can put solutions in place that will identify weak links in your network that could leave you vulnerable to attack. 25th May Technology for Business GDPR: Time to Act
e. hello@novi.ie t. +353 (0) 1 621 8633 novi.ie Managed Security Services from a trusted provider can ease the pain While GDPR compliance is not something that can be achieved through technology alone, the provision of ‘State of the Art’ network security is clearly an essential first step. To reduce exposure to the potentially crippling implications of a serious data breach, it is necessary to minimize both the number of network intrusions, and their time to detection. And it is here that Novi can contribute most to an organisation’s overall compliance efforts. Novi’s cyber security service delivers reliable, high performance and cost effective security as a managed service, taking the headache away from companies. As cyber threats are continually evolving and criminals find ways to evade systems, the changing threat landscape requires specialist expertise and a multi-layer approach. Managing all of this in-house is a real challenge for companies and many of them are migrating some or all of the risk out of their IT departments into the hands of professionals. Along with our partners Fortinet, world leaders in security, we utilise tools that are highly scalable, support multi-tenant environments and provide robust, single-pane-of-glass management to implement and maintain a secure data environment. Implementing Security Systems is not a once-off activity; it requires ongoing monitoring and improvements as the cyber criminal’s modus operandi moves at an alarming rate. Our always proactive and highly structured approach ensures businesses never expose themselves to unnecessary risks. From initial engagement through to strategy, implementation and support, we promise our customers an unrivalled level of proactivity. Our service includes 24/7 network monitoring, as well as our unique offering of weekly, monthly or quarterly scheduled, Novi-subsidised onsite visits. In doing so, we reduce unplanned system outages by 87% and helpdesk calls by 43% and reduce the risk of a cyber breach by an average of 75%. We work round-the-clock on our customers’ behalves to prevent data breaches which can result in regulatory non-compliance, as well as brand and reputational damage. Don’t delay GDPR preparations Although mid 2018 may seem a long way off, businesses would be well advised to start planning now! Systems and processes take time to change. The countdown has started! To assess your business or organisation’s readiness for GDPR visit https://www.gdprbenchmark.com/ a quick, online self evaluation tool from Novi partner Microsoft. GDPR: Time to Act 25th May Technology for Business

Recommended

The Evolution of Data Privacy: 3 Things You Need To Consider
The Evolution of Data Privacy: 3 Things You Need To ConsiderThe Evolution of Data Privacy: 3 Things You Need To Consider
The Evolution of Data Privacy: 3 Things You Need To Consider
Symantec
 
Eu data protection regulations (point-of-view)
Eu data protection regulations (point-of-view)Eu data protection regulations (point-of-view)
Eu data protection regulations (point-of-view)
Gerson Trigueiros
 
GDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your businessGDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your business
Mark Baker
 
Keep Calm and GDPR
Keep Calm and GDPRKeep Calm and GDPR
Keep Calm and GDPR
MissMarvel70
 
What's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) ChangesWhat's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) Changes
Ogilvy Consulting
 
GDPR ASAP: A Seven-Step Guide to Prepare for the General Data Protection Regu...
GDPR ASAP: A Seven-Step Guide to Prepare for the General Data Protection Regu...GDPR ASAP: A Seven-Step Guide to Prepare for the General Data Protection Regu...
GDPR ASAP: A Seven-Step Guide to Prepare for the General Data Protection Regu...
ObservePoint
 
Why is gdpr essential for small businesses with links
Why is gdpr essential for small businesses with linksWhy is gdpr essential for small businesses with links
Why is gdpr essential for small businesses with links
VISTA InfoSec
 
How to get your business GDPR ready
How to get your business GDPR readyHow to get your business GDPR ready
How to get your business GDPR ready
Premier EPOS
 

Recommended

The Evolution of Data Privacy: 3 Things You Need To Consider
The Evolution of Data Privacy: 3 Things You Need To ConsiderThe Evolution of Data Privacy: 3 Things You Need To Consider
The Evolution of Data Privacy: 3 Things You Need To Consider
Symantec
 
Eu data protection regulations (point-of-view)
Eu data protection regulations (point-of-view)Eu data protection regulations (point-of-view)
Eu data protection regulations (point-of-view)
Gerson Trigueiros
 
GDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your businessGDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your business
Mark Baker
 
Keep Calm and GDPR
Keep Calm and GDPRKeep Calm and GDPR
Keep Calm and GDPR
MissMarvel70
 
What's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) ChangesWhat's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) Changes
Ogilvy Consulting
 
GDPR ASAP: A Seven-Step Guide to Prepare for the General Data Protection Regu...
GDPR ASAP: A Seven-Step Guide to Prepare for the General Data Protection Regu...GDPR ASAP: A Seven-Step Guide to Prepare for the General Data Protection Regu...
GDPR ASAP: A Seven-Step Guide to Prepare for the General Data Protection Regu...
ObservePoint
 
Why is gdpr essential for small businesses with links
Why is gdpr essential for small businesses with linksWhy is gdpr essential for small businesses with links
Why is gdpr essential for small businesses with links
VISTA InfoSec
 
How to get your business GDPR ready
How to get your business GDPR readyHow to get your business GDPR ready
How to get your business GDPR ready
Premier EPOS
 
12 steps to prepare for GDPR
12 steps to prepare for GDPR12 steps to prepare for GDPR
12 steps to prepare for GDPR
Gary Chambers
 
Six Steps to Addressing Data Governance under GDPR and US Privacy Shield Regu...
Six Steps to Addressing Data Governance under GDPR and US Privacy Shield Regu...Six Steps to Addressing Data Governance under GDPR and US Privacy Shield Regu...
Six Steps to Addressing Data Governance under GDPR and US Privacy Shield Regu...
DATUM LLC
 
The Evolution of Data Privacy: 3 things you didn’t know
The Evolution of Data Privacy: 3 things you didn’t knowThe Evolution of Data Privacy: 3 things you didn’t know
The Evolution of Data Privacy: 3 things you didn’t know
Symantec
 
The implications of gdpr for the solutions industry tatech 2018
The implications of gdpr for the solutions industry tatech 2018The implications of gdpr for the solutions industry tatech 2018
The implications of gdpr for the solutions industry tatech 2018
Shane Gray
 
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
Symantec
 
Are you GDPRed yet?
Are you GDPRed yet?Are you GDPRed yet?
Are you GDPRed yet?
Datamatics Business Solutions Ltd.
 
GDPR 12 Steps infographic
GDPR 12 Steps infographic GDPR 12 Steps infographic
GDPR 12 Steps infographic
Ermine Amies
 
GDPR: how IT works
GDPR: how IT worksGDPR: how IT works
GDPR: how IT works
Morris Dorfer
 
GDPR: Threat or Opportunity?
GDPR: Threat or Opportunity?GDPR: Threat or Opportunity?
GDPR: Threat or Opportunity?
Samuel Pouyt
 
[Presentation] GDPR - How to Ensure Compliance
[Presentation] GDPR - How to Ensure Compliance[Presentation] GDPR - How to Ensure Compliance
[Presentation] GDPR - How to Ensure Compliance
AIIM International
 
The GDPR Most Wanted: The Marketer and Analyst's Role in Compliance
The GDPR Most Wanted: The Marketer and Analyst's Role in ComplianceThe GDPR Most Wanted: The Marketer and Analyst's Role in Compliance
The GDPR Most Wanted: The Marketer and Analyst's Role in Compliance
ObservePoint
 
WhitePaper- Archiving Supports HIPAA Compliance
WhitePaper- Archiving Supports HIPAA ComplianceWhitePaper- Archiving Supports HIPAA Compliance
WhitePaper- Archiving Supports HIPAA Compliance
Succor Consulting Group, Inc.
 
How IBM Supports Clients around GDPR and Cybersecurity Legislation
How IBM Supports Clients around GDPR and Cybersecurity LegislationHow IBM Supports Clients around GDPR and Cybersecurity Legislation
How IBM Supports Clients around GDPR and Cybersecurity Legislation
IBM Security
 
ICO's Guide to Preparing for the GDPR
ICO's Guide to Preparing for the GDPRICO's Guide to Preparing for the GDPR
ICO's Guide to Preparing for the GDPR
Benjamin Dibble
 
GDPR Pop Up | Human Capital Department - HR Forum - 26 April 2018
GDPR Pop Up | Human Capital Department - HR Forum - 26 April 2018GDPR Pop Up | Human Capital Department - HR Forum - 26 April 2018
GDPR Pop Up | Human Capital Department - HR Forum - 26 April 2018
Human Capital Department
 
Gdpr action plan
Gdpr action plan Gdpr action plan
Gdpr action plan
Ulf Mattsson
 
GDPR How to get started?
GDPR How to get started?GDPR How to get started?
GDPR How to get started?
Peter Witsenburg
 
Beginning your General Data Protection Regulation (GDPR) Journey
Beginning your General Data Protection Regulation (GDPR) JourneyBeginning your General Data Protection Regulation (GDPR) Journey
Beginning your General Data Protection Regulation (GDPR) Journey
Microsoft Österreich
 
Top 10 GDPR solution providers 2020
Top 10 GDPR solution providers 2020Top 10 GDPR solution providers 2020
Top 10 GDPR solution providers 2020
TheCEOViews
 
How will GDPR affect small businesses?
How will GDPR affect small businesses?How will GDPR affect small businesses?
How will GDPR affect small businesses?
AllBusinessTemplates
 
Cognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdprCognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdpr
audrey miguel
 
Horner Downey & Co Newsletter- GDPR
Horner Downey & Co Newsletter- GDPRHorner Downey & Co Newsletter- GDPR
Horner Downey & Co Newsletter- GDPR
Jenny Ferguson
 

More Related Content

What's hot

What's hot (20)

12 steps to prepare for GDPR
12 steps to prepare for GDPR12 steps to prepare for GDPR
12 steps to prepare for GDPR
 
Six Steps to Addressing Data Governance under GDPR and US Privacy Shield Regu...
Six Steps to Addressing Data Governance under GDPR and US Privacy Shield Regu...Six Steps to Addressing Data Governance under GDPR and US Privacy Shield Regu...
Six Steps to Addressing Data Governance under GDPR and US Privacy Shield Regu...
 
The Evolution of Data Privacy: 3 things you didn’t know
The Evolution of Data Privacy: 3 things you didn’t knowThe Evolution of Data Privacy: 3 things you didn’t know
The Evolution of Data Privacy: 3 things you didn’t know
 
The implications of gdpr for the solutions industry tatech 2018
The implications of gdpr for the solutions industry tatech 2018The implications of gdpr for the solutions industry tatech 2018
The implications of gdpr for the solutions industry tatech 2018
 
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
 
Are you GDPRed yet?
Are you GDPRed yet?Are you GDPRed yet?
Are you GDPRed yet?
 
GDPR 12 Steps infographic
GDPR 12 Steps infographic GDPR 12 Steps infographic
GDPR 12 Steps infographic
 
GDPR: how IT works
GDPR: how IT worksGDPR: how IT works
GDPR: how IT works
 
GDPR: Threat or Opportunity?
GDPR: Threat or Opportunity?GDPR: Threat or Opportunity?
GDPR: Threat or Opportunity?
 
[Presentation] GDPR - How to Ensure Compliance
[Presentation] GDPR - How to Ensure Compliance[Presentation] GDPR - How to Ensure Compliance
[Presentation] GDPR - How to Ensure Compliance
 
The GDPR Most Wanted: The Marketer and Analyst's Role in Compliance
The GDPR Most Wanted: The Marketer and Analyst's Role in ComplianceThe GDPR Most Wanted: The Marketer and Analyst's Role in Compliance
The GDPR Most Wanted: The Marketer and Analyst's Role in Compliance
 
WhitePaper- Archiving Supports HIPAA Compliance
WhitePaper- Archiving Supports HIPAA ComplianceWhitePaper- Archiving Supports HIPAA Compliance
WhitePaper- Archiving Supports HIPAA Compliance
 
How IBM Supports Clients around GDPR and Cybersecurity Legislation
How IBM Supports Clients around GDPR and Cybersecurity LegislationHow IBM Supports Clients around GDPR and Cybersecurity Legislation
How IBM Supports Clients around GDPR and Cybersecurity Legislation
 
ICO's Guide to Preparing for the GDPR
ICO's Guide to Preparing for the GDPRICO's Guide to Preparing for the GDPR
ICO's Guide to Preparing for the GDPR
 
GDPR Pop Up | Human Capital Department - HR Forum - 26 April 2018
GDPR Pop Up | Human Capital Department - HR Forum - 26 April 2018GDPR Pop Up | Human Capital Department - HR Forum - 26 April 2018
GDPR Pop Up | Human Capital Department - HR Forum - 26 April 2018
 
Gdpr action plan
Gdpr action plan Gdpr action plan
Gdpr action plan
 
GDPR How to get started?
GDPR How to get started?GDPR How to get started?
GDPR How to get started?
 
Beginning your General Data Protection Regulation (GDPR) Journey
Beginning your General Data Protection Regulation (GDPR) JourneyBeginning your General Data Protection Regulation (GDPR) Journey
Beginning your General Data Protection Regulation (GDPR) Journey
 
Top 10 GDPR solution providers 2020
Top 10 GDPR solution providers 2020Top 10 GDPR solution providers 2020
Top 10 GDPR solution providers 2020
 
How will GDPR affect small businesses?
How will GDPR affect small businesses?How will GDPR affect small businesses?
How will GDPR affect small businesses?
 

Similar to GDPR: Time to Act

Similar to GDPR: Time to Act (20)

Cognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdprCognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdpr
 
Horner Downey & Co Newsletter- GDPR
Horner Downey & Co Newsletter- GDPRHorner Downey & Co Newsletter- GDPR
Horner Downey & Co Newsletter- GDPR
 
GDPR + Sales & Marketing A practical guide by Dan Smith Doogheno
GDPR + Sales & Marketing A practical guide by Dan Smith DooghenoGDPR + Sales & Marketing A practical guide by Dan Smith Doogheno
GDPR + Sales & Marketing A practical guide by Dan Smith Doogheno
 
What is data protection and why it is important for business
What is data protection and why it is important for businessWhat is data protection and why it is important for business
What is data protection and why it is important for business
 
3GRC approach to GDPR V 0.1 www.3grc.co.uk
3GRC approach to GDPR V 0.1 www.3grc.co.uk3GRC approach to GDPR V 0.1 www.3grc.co.uk
3GRC approach to GDPR V 0.1 www.3grc.co.uk
 
Are you GDPR Ready? Checklist Whitepaper
Are you GDPR Ready? Checklist WhitepaperAre you GDPR Ready? Checklist Whitepaper
Are you GDPR Ready? Checklist Whitepaper
 
Data Privacy Compliance Navigating the Evolving Regulatory Landscape.pdf
Data Privacy Compliance Navigating the Evolving Regulatory Landscape.pdfData Privacy Compliance Navigating the Evolving Regulatory Landscape.pdf
Data Privacy Compliance Navigating the Evolving Regulatory Landscape.pdf
 
Microsoft and Tech Data’s Ultimate GPDR Glossary
Microsoft and Tech Data’s Ultimate GPDR GlossaryMicrosoft and Tech Data’s Ultimate GPDR Glossary
Microsoft and Tech Data’s Ultimate GPDR Glossary
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection Regulation
 
Aon GDPR white paper
Aon GDPR white paperAon GDPR white paper
Aon GDPR white paper
 
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readinessGeneral Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
 
A Brave New World Of Data Protection. Ready? Counting down to GDPR.
A Brave New World Of Data Protection. Ready? Counting down to GDPR. A Brave New World Of Data Protection. Ready? Counting down to GDPR.
A Brave New World Of Data Protection. Ready? Counting down to GDPR.
 
2018 Client Briefing GDPR
2018 Client Briefing GDPR2018 Client Briefing GDPR
2018 Client Briefing GDPR
 
GDPR Compliance
GDPR ComplianceGDPR Compliance
GDPR Compliance
 
Data Privacy and Security in UAE.pptx
Data Privacy and Security in UAE.pptxData Privacy and Security in UAE.pptx
Data Privacy and Security in UAE.pptx
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPR
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPR
 
GDPR - what you need to know
GDPR - what you need to know GDPR - what you need to know
GDPR - what you need to know
 
Operational impact of gdpr finance industries in the caribbean
Operational impact of gdpr finance industries in the caribbeanOperational impact of gdpr finance industries in the caribbean
Operational impact of gdpr finance industries in the caribbean
 
#Privacy Matters - Come il regolamento privacy europeo da un problema può div...
#Privacy Matters - Come il regolamento privacy europeo da un problema può div...#Privacy Matters - Come il regolamento privacy europeo da un problema può div...
#Privacy Matters - Come il regolamento privacy europeo da un problema può div...
 

Recently uploaded

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

Recently uploaded (20)

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 

GDPR: Time to Act

  • 1. Whitepaper GDPR: Time to Act e. hello@novi.ie t. +353 (0) 1 621 8633 novi.ie Technology for Business 25th May
  • 2. e. hello@novi.ie t. +353 (0) 1 621 8633 novi.ie The EU GDPR (General Data Protection Regulation) comes into law on 25th May 2018. This may feel like a long way away but the obligations contained in the regulation are onerous and businesses need to be getting ready now! The regulation will be applicable immediately once the date arrives so businesses are being given plenty of notice to get systems and processes in place so that they are compliant. So what’s the GDPR all about? The GDPR introduces stricter data protection rules for organisations that operate in the EU market and process or hold the personal information of EU citizens. The GDPR is designed to increase the privacy of individuals and protect their personal data. Hefty penalties may be laid on companies who experience data breaches, with applicable fines of up to €20m or 4% of global annual turnover, depending on which is greater. Businesses are well advised to begin now (if you haven’t already started!) putting in place procedures and systems that ensure compliance and protection against potential data breaches. As cyber criminals get smarter and find more and more ways to hack into companies’ databases, the risk of a breach is increasing all the time. Unprotected companies are not only risking their reputation with their customers but when the GDPR comes into effect they will also be liable to hefty fines in the event of a cyber-attack on their data. What are the implications for my business? The GDPR places onerous obligations on companies to demonstrate compliance, requiring them to: 1. Maintain certain documentation 2. Conduct a data protection impact assessment 3. Implement data protection by design 4. Prove clear consent to process personal data 5. Appoint a Data Protection Officer for large scale data processing In the event of a data breach businesses must notify the Data Protection Authorities within 72 hours. All companies will have to adopt internal procedures for handling data breaches. These requirements are applicable to any sized business that processes personal data for a commercial purpose, from a sole trader to an SME to a multinational. Don’t make the mistake that this won’t apply to your business because of size, turnover or amount of data held. SMEs and smaller business are expected to manage their data flows and processes to the same extent as larger companies. Whilst some areas of the regulation recognise that SMEs have fewer resources and reduced capabilities and may well pose less of a risk to the privacy of EU citizens, SMEs still can’t do nothing. They too have to address the conditions of the regulation and become compliant in as far as is possible. Does my business need a Data Protection Officer (DPO)? One of the major changes that the GDPR will introduce is a change to how organisations manage their internal governance around personal data. The requirement for a Data Protection Officer was originally restricted to companies with 250+ employees. The final version has no such restriction and companies are left with the responsibility of deciding themselves whether or not the requirement for a DPO applies to them. Given the hefty fines involved if an organisation fails to meet this requirement, this is a daunting consideration. GDPR: Time to Act 25th May Technology for Business
  • 3. e. hello@novi.ie t. +353 (0) 1 621 8633 novi.ie So what factors do you need to consider to determine if you need to appoint a DPO? The GDPR states that any company engaged in ‘large scale’ data processing must appoint a DPO. The question that many companies are asking is: what constitutes large scale? To reach an answer, companies need to look across their organisation at the data that they are collecting, storing and processing. They must assess this data in terms of volume and scope, including its geographic reach, the duration it is held and whether it is of a personal or sensitive nature as regards ethnicity, religious views, health or criminal convictions. It is also important to consider whether or not the processing of the data constitutes a core activity in their business and if monitoring of this data is regular and systematic. A good example, in terms of the scale of data processing, is the data held by an individual GP or small GP practice as opposed that held by a hospital. In this case both meet the requirement in terms of the personal nature of the information held, but clearly the hospital would be large scale and the GP not large scale. Another example would be a large insurance company where the capture and processing of personal data such as financial information would be a core activity versus an independent broker where it would also be a core activity but not on a large scale. Also consider an online retailer that captures financial and address information regularly and systematically versus a company that maintains an email mailing list and only holds email addresses and names captured in an ad hoc nature. Simply put, currently the criteria for a dedicated DPO is somewhat unclear. Companies need to show discretion in their decision as to whether or not to appoint a DPO while also showing caution to avoid the risk of significant penalties. Remember that your understanding of “large scale” doesn’t necessarily match that of the Data Protection Authorities. If you are unsure about appointing a DPO it would be advisable to take advice from a company offering GDPR consultancy. Of course, it has always been, and remains, good practice to have someone in your organisation with responsibility for handling Data Protection issues. Is ‘large scale’ relative to overall company size or to the scale of data processing within the firm? The purpose of the GDPR is to enforce greater privacy and protection of personal data for the individual. If companies are capturing and processing significant amounts of data on a large number of individuals then this constitutes large scale data processing, regardless of the size of the company in terms of either profitability or employee numbers. IS GDPR only for B2C? What are the consequences for B2B companies? Although B2B companies may not capture and process an individual’s data on as significant a scale as some B2C companies, the GDPR still has consequences for them. Most B2B companies will undertake email marketing as a way of reaching out to prospects. Under current law, you can send an unsolicited email to an individual’s work email address unprompted, once you have an option to unsubscribe. Under GDPR you will need their prior consent and furthermore, must be able to show proof of consent. You will also be required to delete their data 25th May Technology for Business GDPR: Time to Act
  • 4. e. hello@novi.ie t. +353 (0) 1 621 8633 novi.ie after a set period of time under the ‘right to be forgotten’ directive contained in the GDPR. This and other requirements, such as ensuring opt-in forms and processes are compliant and consistent across the organisation, now means that B2B companies need to look at their current data governance function and adapt it to ensure compliance. B2B companies are also as open to a data breach as any other organisation. In the event that they fail to report a breach, or are found to be lacking in their cyber-crime prevention strategy, they will face the hefty penalties laid out by the GDPR. What’s the big danger for Irish SMEs? The big danger for Irish SMEs is complacency and ‘it won’t happen to me’ thinking. We see this regularly in relation to cyber security – SMEs thinking that cybercrime is reserved for bigger organisations. SMEs can’t afford to think that they won’t be subject to the GDPR rules or held accountable for any breach of these rules. The reality is that this law will be wide reaching and enforced with rigour, and SMEs will have nowhere to hide should they be negligent in enforcing its requirements. SMEs would be well advised to start preparing for the arrival of the GDPR now, specifically in relation to the implementation of data protection and cyber-crime prevention solutions. In order to avoid GDPR penalties, SMEs must have their data well protected with robust, fail-safe security solutions and procedures in place. What should I do next? Inform your team – Make sure you raise awareness internally of the change in the law. Identify the key people in your organisation that can assist in the journey to compliance and enlist them on the project. Data review and audit – Conduct an internal review and identify where data is held, e.g. HR records, supplier contracts, financial records. Review how data is processed and who has access to it. Document all the findings. Review your internal processes – Review your privacy notices and data collection processes to ensure they cover all the rights an individual has, especially around consent to collect and hold their data. Adopt privacy by design – Document and implement methods to ensure that data protection becomes a key component of the internal processes of the company and is seen to be a key consideration in the early stages and throughout the lifecycle of any project. Appoint a Data Protection Officer – Consider appointing someone within your organisation to take responsibility ongoing for data compliance and protection. Secure your data – Put systems in place to protect your data from a security breach. Map technology to the processes required to ensure compliance on an ongoing basis. Work with a cyber security solutions company who can put solutions in place that will identify weak links in your network that could leave you vulnerable to attack. 25th May Technology for Business GDPR: Time to Act
  • 5. e. hello@novi.ie t. +353 (0) 1 621 8633 novi.ie Managed Security Services from a trusted provider can ease the pain While GDPR compliance is not something that can be achieved through technology alone, the provision of ‘State of the Art’ network security is clearly an essential first step. To reduce exposure to the potentially crippling implications of a serious data breach, it is necessary to minimize both the number of network intrusions, and their time to detection. And it is here that Novi can contribute most to an organisation’s overall compliance efforts. Novi’s cyber security service delivers reliable, high performance and cost effective security as a managed service, taking the headache away from companies. As cyber threats are continually evolving and criminals find ways to evade systems, the changing threat landscape requires specialist expertise and a multi-layer approach. Managing all of this in-house is a real challenge for companies and many of them are migrating some or all of the risk out of their IT departments into the hands of professionals. Along with our partners Fortinet, world leaders in security, we utilise tools that are highly scalable, support multi-tenant environments and provide robust, single-pane-of-glass management to implement and maintain a secure data environment. Implementing Security Systems is not a once-off activity; it requires ongoing monitoring and improvements as the cyber criminal’s modus operandi moves at an alarming rate. Our always proactive and highly structured approach ensures businesses never expose themselves to unnecessary risks. From initial engagement through to strategy, implementation and support, we promise our customers an unrivalled level of proactivity. Our service includes 24/7 network monitoring, as well as our unique offering of weekly, monthly or quarterly scheduled, Novi-subsidised onsite visits. In doing so, we reduce unplanned system outages by 87% and helpdesk calls by 43% and reduce the risk of a cyber breach by an average of 75%. We work round-the-clock on our customers’ behalves to prevent data breaches which can result in regulatory non-compliance, as well as brand and reputational damage. Don’t delay GDPR preparations Although mid 2018 may seem a long way off, businesses would be well advised to start planning now! Systems and processes take time to change. The countdown has started! To assess your business or organisation’s readiness for GDPR visit https://www.gdprbenchmark.com/ a quick, online self evaluation tool from Novi partner Microsoft. GDPR: Time to Act 25th May Technology for Business