There has been much written recently on the preparations for the new EU General Data Protection Regulations (GDPR), set to replace the existing UK Data Protection Act in mid-2018.
Ignore at your peril!
Breaching the new laws can attract fines of up to 4% of global turnover.
In addition, compulsory breach notification will make reporting to the proper channels mandatory within 72 hours from the point of detection. Failure to do so is likely to incur severe fines...better make sure you are ready to roll out a perfectly executed plan including customer and media communications!
So, whilst it’s 'hooray' for us all, as EU citizens concerned about who and how our personal data is being used or abused, it’s 'boo' for businesses who may previously have kept the requirements of the DPA locked in a cupboard because...well, it doesn’t really apply to us...it’s for big businesses processing lots of personal data. Wrong!
And don’t think Brexit could mean you don’t have to comply! It’s not where you hold the data but whose data you are holding.
If you are offering any type of product or service to the EU, it counts, no matter how small or large an organisation you are.
For those already confidently complying with the DPA, you are one step ahead. However, new requirements and changes to the way you currently do things will be needed.
And, whilst mid-2018 may seem like a long way away, the ICO warns,
“It is essential to start planning your approach to GDPR compliance as early as you can and to gain ‘buy in’ from key people in your organisation. You may need, for example, to put new procedures in place to deal with the GDPR’s new transparency and individuals’ rights provisions. In a large or complex business this could have significant budgetary, IT, personnel, governance and communications implications”
The ICO have produced a useful preparation guide which includes ‘12 steps to take now’.
Compliance and governance
Many believe GDPR compliance will come at a cost but, at the very least, it will mean a review of existing policies and procedures and changes to many business processes.
For those with an existing information security management system it will have an inevitable effect on governance, with cross-overs and maybe duplication across existing information security compliance regimes such as ISO 27001 and PCI/DSS.
Managing the requirements of just one regulatory compliance can be complex but add one, or several others, all with interconnecting policies and procedures could be the stuff of nightmares.
It’s why ISMS.online, our cloud software solution for managing your ISMS securely online, was designed to handle multiple compliances with an easy project approach to each.
Based on our core collaboration platform, pam, it has all the tools and frameworks to manage a complex ISMS, cutting out duplication and providing standard frameworks for repeatable processes.
ISMS.online offers a holistic approach to your ISMS, ensuring everything is easily managed from one proven and accredited platform, hosted securely at an accredited UK datacentre.