Blog: GDPR: One Year On - Eight things you need to do to maintain GDPR compliance
By Doug Trainer and Scott Bannerman of the cyber-security team at Scottish accountancy firm Scott-Moncrieff
On the 26th May 2018, many businesses across Europe breathed a sigh of relief: they had met the GDPR deadline.
Despite all the hard work that was done in the run up to the GDPR deadline, the ongoing controversy around how high profile companies have made use of their users’ data has kept this issue very much in the public eye and has highlighted that an ongoing focus on this area is essential.
While business as usual must ensue, there’s no denying that workloads have increased in the last 12 months due to GDPR. Recent reports of data breaches to the ICO (Information Commissioner’s Office) have doubled since May 2018, and so it’s important for companies to keep focussed on data tracking; or risk being hit by a fine that could cost up to 4 per cent of global revenues.
So, what steps should businesses take to maintain compliance?
- Data stocktaking
As the deadline to GDPR approached, guidance was woolly of what data needed to be captured. However, one year on, now is the time for your business to address where data lives and moves in the organisation, and whether you are clear on what is and isn’t GDPR compliant. If there is any confusion – this is something that the ICO or your business advisor can help to clarify.
- Categorise data
The next step – and one which we continually see to be the biggest pain point for businesses – is marking and categorising data in an inventory. It can be daunting for many companies to do this, and it’s often something that isn’t allocated time to worry about. If you don’t know where to start, consider looking for outside help to come in to achieve data inventory compliance for you.
- Supplier compliance
It’s not enough to know that your organisation is GDPR compliant; you also need to make sure that the suppliers and other companies you work with are too. We have seen organisations lose business as a result of not being compliant. However, it will ultimately come down to whether you want to take the risk of working with a non-compliant business or not.
- Check contracts
As part of your supplier contracts, its important to review and ensure that there is clarity on the process of data sharing among one another. While you won’t need to re-write a contract (an amendment will do), take the time to check either way and act if needed.
- GDPR lead
No matter how big or small your business is, appoint a GDPR lead. This individual should understand the ins and outs of GDPR as well as ensuring data flow is being tracked correctly. You can speak to organisations like the ICO, the International Association of Privacy Professionals and business advisory organisations, who can provide guidance on what you need to know, actions you may need to take in the case of a breach, and where you can find training and resources to support you.
- Consider the cloud
If properly implemented, the cloud could become your company’s GDPR best friend. The major benefits of the cloud are the security, flexibility and protection it allows a company and its data. Many major cloud providers are already explicitly supporting the regulation and can offer services which are more secure and better maintained than some in-house IT services – a significant bonus in ongoing GDPR compliance. So long as you do your due diligence correctly – particularly by ensuring that the provider will not move your data outside the EEA without appropriate safeguards – this approach will enhance your efforts.
- Don’t sit idly
Just because the deadline has passed, it doesn’t mean that businesses can ignore ongoing compliance. With fines in the first 12 months of GDPR being live totalling €56 million across Europe (and French authorities noting that were generous given this was a transition year) – this number could be a lot higher during year two. To avoid being one of the companies hit with this hefty fine, it’s vital that businesses are proactive in maintaining their GDPR compliance and consider it as part of business as usual activities.
- Include GDPR in your Brexit Planning
If your organisation relies on transfers of personal data from the EU, then you need to consider that the UK‘s status post-Brexit as a partner to the EU for data sharing has yet to be agreed. At a minimum, you should be ensuring that you know which (if any) data flows might be impacted by a change in arrangements and ensure that you are aware of the guidance on this area being produced by the UK government, the EU and the ICO.