It seems that it’s almost a daily occurrence now that companies come forward to admit large data breaches.
Among the most recent examples are Uber (2.7 million users affected), Yahoo (3 billion users affected), and Equifax (143 million consumers affected). The last one is perhaps the most sinister.
Equifax is a consumer credit score company, meaning that the data accessed included credit card and social security numbers.
A data breach is bad news, no matter if you’re a global brand like UBER or a small marketing company in Dundalk.
It is extremely important to ensure that the data you have relating to your clients or customers is both obtained, stored and maintained correctly. There are guidelines in place to help you, however these are due to change in the near future.
On May 25, 2018 the General Data Protection Regulation (GDPR) will come into effect, replacing existing data protection frameworks under the EU Data Protection Directive.
Sounds complicated, doesn’t it? But what does it mean for businesses and individuals here in Dundalk and across Ireland? Let’s take a look.
In essence, the GDPR standardises and strengthens the rights of European citizens to data privacy, by governing how businesses process personal data.
If your business is involved in data processing of any sort, it’s necessary to take the following steps:
Review and enhance your organisation’s risk management processes. Make sure decision makers and key people within your organisation are aware that the law is changing.
Make an inventory of all data you hold.
Why do you hold it? Do you need it? Is it safe? You should document what personal data you hold, where it came from and who you share it with.
You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation. Make sure you keep service users fully informed about how you use their data.
You should check your procedures to ensure they cover all the rights individuals have, including deletion and data portability.
Plan how you will handle access requests within the new timescales – requests must be dealt with within one month.
Ensure you have a lawful basis for your data processing activity. Are you relying on consent, legitimate interests or a legal enactment to collect and process the data? Do you meet the standards of the GDPR?
Review how you seek, obtain and record consent, and whether you need to make any changes to be GDPR ready. Refresh any existing consent that you have now if they do not meet the new standards set out by GDPR.
Do you have adequate systems in place to verify individual ages and gather consent from guardians?
Are you ready for mandatory breach reporting? Make sure you have the procedures in place to detect, report and investigate a personal data breach.
Will you be required to designate a DPO?
Make sure that it’s someone who has the knowledge, support and authority to do the job effectively.