According to report by PORT.im, the majority of UK companies are still unaware of their responsibilities when it comes to the protection of personal identifiable information under GDPR and the technology sector is no different.
From the 25th May 2018, companies that process data, regardless of size, will be held accountable for non-compliance with the regulation, with the responsibility shifting from the Data Controller (the company that collects personal identifiable information) to the Data Processor itself.
Technology companies will be open to potential fines for non-compliance, data loss and data breaches, which is a seismic shift within the IT sector. Cloud providers and data centre providers will have to adopt stricter security measures, standards and processes within their organisations to protect and handle customer data to ensure they remain compliant with GDPR.
From now on, the technology sector has a massive opportunity to shape the way businesses protect and secure their data through education, shaping cultural change and leading the way in security products and services.
GDPR however brings its own challenges for technology companies as they find themselves with a specific skills shortage in cybersecurity specialists, compliance professionals and DPOs (Data Protection Officers). Technology businesses will therefore need to invest in their staff and training programs to attract new talent into the IT industry to overcome this skills shortage and avoid the penalties.
What do businesses need to think about to ensure they comply?
While the above may sound daunting and overwhelming, there are steps technology businesses can take in order to make GDPR compliance more manageable.
1. Get to grips with the GDPR legal framework
Before panicking about the potential implications and penalties for non-compliance, companies, primarily, need to ensure that they fully understand the legislation.
This can be achieved by conducting a compliance audit against the GDPR legal framework, which will involve hiring a Data Protection Officer (DPO) to provide guidance, explain the regulations and apply them to the business at the same time.
If the organisation is a public body that processes data on a large scale or collects and processes sensitive data, then a DPO will be mandatory under the new regulation.
2. Ensure staff are ‘in the know’
Technology businesses need to review how personal data is collected, processed and retained and should involve key members of staff from each department. Engaging employees directly, will not only increase the profile of GDPR within the business but will also make employees aware of the importance of compliance.
Internal communication and awareness is pivotal here and will also help reduce the chances of staff unwittingly doing something that will result in a data breach. Backing at board level will also need to be initiated to ensure that the correct resource and budget is allocated.
3. Remain one step ahead
A data breach through identity theft, breach of confidentiality or a direct data leak; which may cause an individual any financial loss or personal harm must all be reported to the ICO (Information Commissions Office) within 72 hours of the breach being identified.
Failure to report a breach may result in further fines upon the business. Therefore, the business should develop and implement an incident management policy and procedure to handle data breaches to ensure that breaches are detected, reported and investigated in a timely and accurate manner.
Will compliance be onerous?
The difficulties that businesses will have in complying depends largely upon the nature of the business itself. However, the most onerous task for any business is, in my opinion, the training of staff. It is imperative that everyone within the organisation is aware of what GDPR is, how it affects them, and how to respond to a Data Subject Access Request, or how to correctly address a data breach or loss.
By Vicky Withey, Compliance Manager, Node4