The six-month countdown to the implementation of GDPR has begun. The threat of fines of up to €20 million or four percent of annual turnover has caught the eye of CIOs.
"I think it's going to be an interesting couple of years for us all, and a bit of a roller coaster at times," AEG CIO David Jones told CIO UK. "People will have understood something one way, and actually it will turn out the regulator's interpreting it another way, and we'll be rushing around to catch up with that.
Read next: How CIOs are preparing for GDPR
"I think we're all hoping the ICO will go after the likes of Google and Facebook first rather than smaller organisations, and that will help set some sort of case law."
Information Commissioner Elizabeth Denham described the implications as "the biggest change to data protection law for a generation" but most current data practices are being strengthened rather than overturned. CIOs still have time to ensure their organisation is prepared before the regulation comes into force on 25 May 2018.
First steps to compliance
Teams need to initially develop a readiness plan for the General Data Protection Regulation (GDPR). This will likely comprise representatives of legal, IT and HR with support from staff from other departments.
They then need to identify all of the data held in the organisation, with particular care taken with sensitive information. They then need to document all the data, recording the purpose for its use, the location where it's stored, and the names of anyone who has access to it.
Procedures must be put in place for any data processing. Current practices may no longer be sufficient, as GDPR includes a number of new or strengthened data subject rights. The new list of individual rights reads as follows:
- The right to be informed
- The right of access
- The right to rectification
- The right to erase
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
Organisations should evaluate their current data governance practices, and document the lawful basis for any processing. Any aspects that are now inadequate should be updated as required. Take note of how data flows across international borders.
Be careful to ensure that any children's data is used appropriately and that all consent is still suitable, as the requirements for both have been significantly strengthened.
The ICO provides a number of data protection self-assessment toolkits to help organisations check their GDPR readiness.
Raising awareness and skills
Many organisations will need to appoint a Data Protection Officer (DPO). The role is mandatory for processing done by a public authority, core activities involve large-scale regular and systematic monitoring of data subjects on a large scale, or processing of personal data and relating to criminal convictions and offences.
Appointing a designated individual as responsible for GDPR is a wise move whether or not a DPO is obligatory, but responsibility for compliance runs throughout the organisation. Raise awareness of the implications through company-wide training sessions.
To ensure Yodel is compliant with GDPR, CIO Adam Gerrard has been auditing its use of data. The training provided to his team has made him confident that preparations are on course for compliance.
"My data protection specialist is already trained up," Gerrard told CIO UK. "I have a great IT cyber specialist who is fully up to speed with it and understands the concerns in that space as well. So the two of them are going through with a fine-tooth comb; all our data sources, all our applications - what does this mean for us?
"I think we've got the right kind of rigour, and I think we understand the process we need to get through. There are a lot of areas of working, and that's just on the technology side. A lot of people forget that data protection isn't just about what's stored on the systems.
"Fortunately my team are smart enough to know this and are out there, looking at all the different processes that could potentially have personal information written down as well as stored."
Awareness needs to be raised throughout the organisations. The leadership team should set the example for the rest of their colleagues.
"There's quite a lot of due diligence to be done in most businesses," says Jones. "So it's definitely a focus for us, and there's a little joint working group between the information security director, myself and a couple of key people from our legal team in Europe as well."
GDPR compliance tools
RegTech software can help with GDPR preparations. There are a number of GDPR readiness tools already on the market, from new products to updates to solutions already on the market.
Syrenis Preference Centre collates and managers consumer preferences in single hub hosted in the cloud that lets companies and customers directly manage their preferences.
Evidon's Universal Consent Platform provides a single transparency and consent platform across platforms, and lets users mange new data subject rights in a simple interface.
Tealium iQ Tag Management is a tag management system (TMS) that offers visibility into the collection and usage of customer data through a single view of information from every source. It offers user control and an audit trail of actions.
Read next: How CIOs are preparing for GDPR
Egnyte lets users identify and classify personally identifiable information (PII) across both cloud and on-premises repositories, and offers alerts of any activity that may need to be reported.
The MyLife Digital Consentric Platform gives a single view of permissions across the business and management of the legal justifications for data processing, while Experian has rolled out a free GDPR Maturity Self-Assessment tool.
Even existing office solutions can help in preparations. Databases, spreadsheets, collaboration tools document management systems and project management tools all provide their own ways to monitor and control data processing, but they will likely need support from other tools and staff throughout the organisation.