What is GDPR?
By now, we’ve all heard the term GDPR floating around. The majority will know that it stands for General Data Protection Regulation. Many understand that it will affect the rules around ‘opt-in’ data. Some know the five new obligations that companies must adhere to. Yet few of us have defined a strategy to ensure that by May 2018, when the new regulations come into effect, their organisation will be compliant.
For those not quite sure of what the new changes to GDPR mean; twenty years on, following the General Data Protection Act of 1998, May 2018 will see a long-overdue revamp of the way in which organisations must protect their data. Cast your mind back to 1998; Google formed as a company, Apple first introduced the iMac, dial-up internet was all we had, the Nokia 5160 was everyone’s favourite phone, and I believe Bill Gates got hit in the face with a cream pie that year (what a time to be alive!).
Technology has evolved exponentially, year on year, since 1998 and we are now faced with a whole set of challenges involving data security and protection of personal information that just wasn’t of concern then. The old regulations of 1998, although minor amendments have been made, are now redundant.
So what are these new obligations? How is your organisation affected? What role does procurement play? And what do we need to adjust to stay compliant?
New Obligations & How to React
A plethora of new rules are being introduced come May 2018, now we need to identify the core obligations and create an actionable plan. There are 5 key objectives which will require significant effort, that your organisation must meet. Although building a solid data protection structure will take time, it’s important to get the essentials nailed down ahead of implementation of the act. Here are the 5 key obligations along with actionable tasks that you can implement right now…
Introducing the DPO…
The Data Protection Officer (DPO) will be mandatory for organisations matching certain criteria (which is as yet to be defined).
ACTION: Appoint a DPO for your organisation and understand how they will integrate with the business as a whole, providing adequate support and resource to ensure they are able to carry out their job thoroughly. A DPO can be a exhisting member of the organization depending on the size of the company and the work involved.
The Data Breach Notification
This refers to how companies react when their data security has been breached. GDPR states that all reports must happen within 72 hours of the incident occurring and that the Incident Response (IR) team must have an appropriate contingency plan in place to deal with such a situation.
ACTION: Have a formal battle plan ready to instigate should there be a security breach on your data. Work with your legal department/solicitor along with the rest of the company to create a step-by-step procedure to follow.
When any new project happens, privacy must be considered within the design phase and not implemented afterwards. This has been stated by GDPR as a priority.
ACTION: Embed privacy best practice in every member of your team. Liaise with different departments and educate on this. Encorporate ‘privacy’ in any design checks that occur.
Supply Chain compliance
Not only do you have to ensure that your own company’s standards meet the criteria of GDPR, it is also your responsibility to ensure your suppliers meet the guidelines.
ACTION: Supplier onboarding and methods of maintaining supplier compliance are most likely embedded in your supply chain already. These must now be updated to include GDPR. If you use an online tool to onboard your suppliers, this can be done easily by adding in questions to the portal and even requesting documentation or proof in the form of outlined procedures.
Putting out fires is all well and good, however it’s just as important to prevent them from happening too. This falls under the line of ‘risk mitigation. Come May 2018, GDPR will ensure that your organisation has factored this into any risk assessments.
ACTION: Encompassing the above and any further strategies your organisation has deemed necessary, you should adapt your current risk mitigation strategies. Put actions in place to make it easy for your DPO to track who has access to what information etc.
What measures has your organisation taken? If you found this article helpful, let us know! And if you need some assistance in getting your plan together, our experienced team of consultants are ready to help, so get in touch.
Some organisations have chosen to adopt the “Odesma Contract’s Factory” whereby a tight/ring fenced scope of work covering a number of the program stages is outsourced to our specialised team of procurement and legal professionals taking care of your GDPR contract compliance.
We have learnt some fundamental lessons about what it takes to achieve the right compliance levels for GDPR and discovered that there are some real value-added by-products of the whole process, which our Contracts factory can help you with. To get further information on how our GDPR contracts factory can help you become compliant fill in the form below or get in touch. [email protected] or 0161 433 7833.