Anything that is likely to ‘result in a risk for the rights and freedoms of individuals’ must be reported to customers and the data protection authority within 72 hours of first becoming aware of any breach. In the UK this is the Information Commissioner’s Office. Of course, it’s also very likely that some firms will not know the true scale or implications of such a breach in the early stages. Even so, you must ensure that you have contacted the relevant party within the allotted timeframe, outlining the nature of the problem, the people affected and what measures you are taking to address this.
Of course there are numerous challenges to implementing all this and being assisted by a strategic partner with fully compliant data officers will help you turn the approaching legislation into something of an opportunity to improve the data protection processes you already have in place. At the same time, better understanding of the customer data you hold and should present other benefits for you as you begin to tailor new products and services.
Under the terms of the GDPR you’ll also need to have a dedicated Data Protection Officer (DPO) in place if your organisation is a public authority (except for courts acting in their judicial capacity), carries out large scale systematic monitoring of individuals, or large scale processing of special categories of data or data relating to criminal convictions and offences.
Unfortunately, GDPR compliance doesn’t happen overnight, so it’s vital processes are put in place now. This means getting to grips with the data you hold and understanding just what will be affected by the new legislation. Could you quickly find where specific data sets are held and who is responsible for them if necessary? What about Subject Access Requests (SARs)? Are you equipped to deal with individuals who want to see the information you hold about them? If the answer is ‘no’ and things seem a little cloudy, then you could be in trouble.
By putting the right processes in place and working with a strategic partner, rather than risking a huge fine, the journey to GDPR compliance could well be a valuable one for your business as you unlock data silos, better understand what you hold and ultimately improve security processes for both you and your customers.