GDPR (General Data Protection Regulation), the new regulation will replace the current Data Protection Act (1998) in the UK and is being introduced in May 2018. A senior Xceed Group consultant recently wrote a blog detailing the changes to data protection legislations.

Now you know what GDPR is, next stage is to plan what you need to do about it and when you need to act. Almost all articles on GDPR headline with the massive increase in the fines that will be dished out to companies that do not comply with the new legislation. It is an important factor to highlight, so equally important are the steps companies should take to become GDPR compliant to avoid these potentially crippling fines.

Who does GDPR Affect?

Firstly, it’s vital to understand which areas of your business (including external partners) have to be GDPR compliant.

If you manage or process Personally Identifiable Information (PII) about citizens in the EU, then you will need to take action to become GDPR compliant. This includes both Data Controllers and Data Processors.

The Information Commissioners Office defines Data Controllers and Data Processors as the following:

  • Data Controller is a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.
  • Data Processor in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
  • Data controllers must fully understand where their data is and who is processing it. Data processors must have a contract with their data controllers so that each party is clear on their responsibilities.

Do you know who all your Data Processors are?

Data controllers are responsible for ensuring they use data processors that are compliant with GDPR. As a business, do you understand the data processors who have access to personal data that you are responsible for? These includes:

  • Third parties processing data (e.g. call centre, market research company, loyalty cards)
  • Third parties providing infrastructure services (IaaS, PaaS, Cloud providers)
  • Application service providers (SaaS)
  • Other service providers e.g. outsourced payroll

As a Data Controller, with many streams of data processors, a good place to start is to ask suppliers to carry out Data Protection Impact Assessment (DIPA). Large scale cloud suppliers, including AWS and around 20 others, have become members of the Cloud Infrastructure Service Provider in Europe (CISPE) to help its customers prepare for GDPR. It is worth reviewing the Code of Conduct for clear guidance on how to engage with Cloud suppliers.

What process should you take to become GDPR compliant?

Xceed Group has developed a 5 stage approach to becoming GDPR compliant:

  • Framework: Define the business understanding and approach for the project
  • Discover: Understand Landscape
  • Analyse: The impact on each element
  • Plan: A clear roadmap
  • Execute: A rules based plan

When to start preparing for GDPR

Based on a current GDPR project Xceed Group are working on, we estimate that a large organisation, with around 200 applications will require 4-6 months of discovery and analysis, to get to the point of understanding what systems require updating to become GDPR compliant. This is not a side of the desk job that can be left at the bottom of the pile until next year, businesses (both Data Controllers and Data Processors) must act now, to ensure compliance is achieved before May 2018.

If you have any questions, or would like advice on how to become GDPR compliant, please contact us , we will be delighted to help.