25th May 2018 is now only 257 working days away. Some reading this may wonder what the significance of that date is. Actually, according to a survey I conducted recently, probably about 33% of readers will be asking that question. Friday 25th May 2018 is GDPR day. The day our current Data Protection Act is retired in favour of the European Data Protection Regulation.
257 days sounds quite a lot. 5 days in business can be a lot, but when it comes to GDPR, 257 days isn’t much time at all. In the days left businesses need to:
- Know what data they hold and what they hold it for. They will need to take time to document and audit data. Recording the data held, where it came from and where it is send to. Even for small businesses, this is not a small task. In this day and age small businesses can hold masses of data. This could however be an opportunity for a cull of unwanted and out of data.
- Review all current privacy notices. This could included development time on websites. Get in quick web developers are going to get very busy and costs could start to increase as we get closer to 2018.
- Ensure that procedures are in place to support the rights of the data subjects. There have been changes, such as the right to be forgotten and portability of data. Processes should be put into place now. It is too late once a request is received!
- Understand, if appropriate, how the business will deal with child consent. Again this is likely to require changes to the websites. I will repeat the warning about getting in quick. Costs will rise next year.
- Put in processes to monitor for and manage data breaches. There will be a legal requirement to report data breaches that compromise personal data within 72 hours of noticing them. Delays in reporting will not be looked on favourably by the ICO. Neither will data breaches that are not discovered for prolonged periods.
- Review business processes to ensure that data protection processes are built in. Here the business has a great opportunity to modernise and streamline processes. This will take time though.
- Appoint a Data Protection Officer if one is required. These will be in short supply initially and recruiting for such a key position could take some time.
Looking down the list, it becomes clear that 257 days is not long. So for the other 46% of my survey that said they didn’t understand the implications of GDPR, you do now. For the 35% that said they didn’t know when they would start implementation, now would be a good time and for the 37% that have not committed and resource to this yet, do it.
The EU gave businesses two years to comply with this new regulation. Admittedly, communication hasn’t been brilliant from the various quarters. However, ignorance will be no defence and penalties will be harsh. Don’t get caught out start your compliance activity now.