Millennium Consulting

Managing Technological Change, Deployment, Development and Optimisation


GDPR - 12 Months To Go

By Brendan Shaw - 2nd May 2017

The deadline for EU General Data Protection Regulation (GDPR) compliance comes into force on 25 May 2018 and organisations need to be 100% compliant from day one. Data protection has become increasingly important as more than two billion records were stolen in 2016 and there have been 974 publicly disclosed data breaches during the first 6 months alone. Businesses that process and store data concerning EU citizens will need to undertake thorough checks to ensure GDPR compliance. They will be obliged to report data breaches within 72 hours and will be bound by more stringent rules for obtaining consent from individuals regarding how their data can be used.

The regulation covers the capture, control and consent for personal information use and is designed to protect the data rights of E.U. citizens so individuals will have more control of who has their data and how it is used. GDPR applies to any personal data within an organisation. It affects all types of organisations from social network sites, through to the financial services sector, retail, and healthcare.

GDPR is as much about process administration as it is about data security. Protecting and securing data isn’t necessarily about hiding it away; it’s also about making the data transparent, knowing what is being stored, storage location, storage purpose and who is responsible for it. After all, you cannot protect what you are not aware you have.

The first step organisations have to take is to assess the data collected, stored and processed and decide whether it is needed in the first instance. Where it is found to be unnecessary, then it should be possible to stop further collation and the deletion of historic data.

Some organisations may decide that processing personal data is so core to their business it should be maintained in-house. If this is the case then plans for GDPR should be well underway, with technologies such as encryption, tokenisation and DLP reviewed. Administrators must be accountable and should control data access. Good data governance can underpin GDPR compliance by defining enterprise-wide policies and business rules. If data can be found and understood, it can also be reported on, allowing organisations to provide evidence to regulators as and when required.

In certain instances it may be that data functions can be outsourced to companies specialising in data processing, meaning GDPR for that data will be their responsibility. Online retail and direct marketing are just two examples of areas that can be outsourced.

The enforcement of GDPR is now little more than a year away. Regardless of how organisations intend to address the requirements they should start taking the necessary actions. Regulators will issue significant fines from day one for none compliance and this will range from 2-4% of annual revenue.

If you need support/advice to ensure your organisation is GDPR compliant, Millennium Affine is well placed to help. Specialising in regulatory and compliance change, we’ve been assisting organisations with transformation project since 1995. Please contact Phil Keet or Brendan Shaw on 0845 604 4262 for further information.