The way we collate and store data is changing – and 2018 will see the biggest change to the data protection rules in decades. The implementation of the General Data Protection Regulation, known as GDPR, in May 2018 will mean there are stricter rules around how data is protected, processed and utilised by companies.
Here, Rafal Jaczynski, Chief Information Security Officer at Staples, sheds light on the upcoming changes in data security and why it is crucial to be aware of how it will affect you within the workplace.
What is GDPR and why is it essential?
“[GDPR] regulates the legitimate and compliant use of personal data, and in my view it is the most ground-breaking privacy regulation in this space for the last 20 years,” Jaczynski explains.
This is because GDPR will create a uniform approach to data protection across the EU and will protect the privacy and personal data of all EU citizens, something which has rarely been attempted before on such a large scale.
The implementation of GDPR will lay out more advanced and in-depth requirements relating to compliance and accountability, and all companies within, or working with, the EU will need to abide by specific requirements.
Within the new regulations set by GDPR, companies will need to gain consent from EU citizens regarding how their personal information is used. It will also give individuals more rights around their personal data – the definition of which now includes much more.
“Personal data is any data relating to an identified or identifiable person. If the person can be uniquely distinguished within a group or with relatively little effort identification can be achieved (i.e. with the use of indirect identifiers such as loyalty card number, telephone number, UID, cookies, IP-addresses, credit card number) then the game is over – you are processing personal data and are subject to GDPR provisions,” said Jaczynski.
All companies operating within the EU will be subject to GDPR regulations and those who are not compliant by the time this comes into force will be hit with a large penalty - up to 20 million euro or 4% of the annual worldwide turnover – whichever is greater.
What do companies need to do to make sure they’re compliant?
“A mental checklist through even the most basic questions will help businesses assess their readiness for compliance…and if it is not there, it is the last time for the wakeup call,” said Jaczynski.
Companies with more than 250 employees will need to employ a Data Protection Officer who will be responsible for the way data is collected and how it is stored. Companies with less than 250 staff will also need to be compliant with GDPR – and they will need to establish how they process data and what changes they will need to make in order to be compliant.
“Have someone with the ability to transform their organisation from “have to comply” to “want to comply - assess the risk and invest wisely having in mind the regulatory fines that are at stake,” recommends Jaczynski.
There are a number of other questions and processes your organisation will need to look at in to make sure you are ready for GDPR, he said:
“Do you use the personal data only for the goals for which they were collected? Are you sure that no more personal data is used than strictly necessary? Do you remove it when no longer needed? Can you remove it on request? …Have you thought of all the systems and geographies where the data is processed?”
Making sure that both you and employees at your organisation fully understand what is required of them in relation to GDPR is crucial.
Within the new regulations, your organisation will need to report any breech of data within 72 hours of it happening, or face a major fine. Questions to think about, said Jaczynski, are; “How many security incidents have you had this week…and are you ready to report a personal data breach within 72 hours?”
The earlier you think about and prepare for GDPR, the easier it will be once the change comes into effect.
Jaczynski said: “Even though it all boils down to a set of simple principles - personal data may only be processed lawfully, fairly and in a transparent manner – for many a business it still can result in a really transformational project.”
Why changing your culture around data privacy is important
Creating a ‘data privacy culture’ is more than just abiding by the new rules around data protection. Businesses need to know about how various roles within their company will be affected by the implementation of GDPR, and they need to ensure they are fully aware of what this new regulation will entail.
“The way we approach this in Staples Solutions is by asking ourselves three basic questions – do we have the right to collect and process the data, is it legally and socially acceptable? If yes, then are we able to do that in a responsible manner? And – last but not least - are we transparent enough on what we do with the personal data of our customers and staff?
“Asking these questions once is a good start, having your colleagues asking them as part of their ‘business as usual’ is a culture.”
By bringing in a new way of thinking, new processes around data privacy and by “setting the tone at the top”– you should be able to full integrate a new data privacy culture with relative ease.
“For privacy, just remember that you don’t really own any personal data – all the data you process have been entrusted to you by their real owners, and [you should] protect their privacy the way you would normally want others to protect yours.”