Preparing for GDPR: Five Questions Every Board Should be Asking

18th August 2016 | Will Parton

With less than two years to go until GDPR – the new General Data Protection Regulation – becomes law, many businesses are only just beginning to wake up to the significant impact it’s set to have.

Four years in the making, the regulation is being implemented to strengthen and unify data protection for individuals across the UK and European Union. From the need to report personal data breaches to regulators and customers within 72 hours, to the potentially massive fines that will result from any infringement, the regulation will be a major step up from what organisations are used to.

And, if some are thinking last month’s vote for the UK to leave the EU means British businesses are off the hook, they should think again. The regulation applies to any company serving people within the EU, regardless of whether their business is based in or outside the bloc.

It will ultimately be down to those at the top – Directors, non-Execs and Trustees – who have a strategic and operational responsibility to mitigate the risks. Failure to comply could have major consequences, even prematurely ending high-flying careers.

So, what are the key questions those at the top should be asking in order to protect both themselves and their organisation?

What will GDPR mean for business process?

Successful preparation will depend on the design of good data protection into business processes – an outside-in approach that ensures the organisation is protected at every level. A critical starting point is to conduct an initial top to bottom review of all data – structured and unstructured – and business activities which touch personal information.

This should go far beyond the obvious IT departments. One of the most important aspects of GDPR is the enhanced rights it will give individuals to request access to their data, otherwise known as Subject Access Requests. Under these rules, companies will have to provide detailed information on how the data has been processed, with just a month to respond. This could mean a light being shone on areas of the business that were never meant to be made visible. So, the initial review needs to assess processes at every level and wherever customer or employee data is involved.

How can we educate employees?

The level of scrutiny GDPR will place on organisations will mean an ongoing programme of activity to educate all employees in the new requirements will be essential. One important example is making people aware of how they should be taking notes and recording information about their customers, prospects and employees. It may seem basic but this data could easily be subject to a data access request.

Will we need to invest in new technology?

Companies should become much more vigilant in ensuring personal data is suitably protected and only available to individuals with the appropriate consent and authority. But this will cost. Over two thirds of IT professionals in the UK expect to invest in new technologies or services – such as encryption, analytics and reporting, perimeter security and consent management – to help their business prepare for these changes.

This doesn’t mean having to completely overhaul existing IT infrastructure: by working with the right technology partner, companies and organisations can invest in data protection technology that is flexible enough to be tailored to the needs of their business, as well as adaptable enough to evolve with the changing regulatory landscape.

Am I covered against any GDPR-related fines?

One issue that has received little attention since the GDPR deadline was announced is the impact it will have on directors’ and officers’ liability insurance (also known as D&O Insurance), which is designed to cover the cost of compensation claims made against a business’s directors and key managers. European legislation is normally covered as standard, but there is still some uncertainty remaining around GDPR. Board members should check with their organisation’s insurance provider now and make sure they’re properly covered or the personal costs could be significant.

How much data is enough?

GDPR also raises the issue of just how much personal data to collect and retain, especially at a time when collecting and accessing far more information than is actually needed is common practice. It might be the case that reducing the amount of data being gathered is the best approach. It would certainly be more cost effective, as continued accumulation of siloes of unused, and potentially toxic, data increases the need for encryption – with an obvious and inevitable need for more investment.

The arrival of GDPR, and the issues highlighted in this article, mean that more than ever before, data protection and privacy need to be a strategic pillar within every organisation.

If those at the top make the right decisions, then GDPR doesn’t have to be a threat. Ultimately, it could help to bring about a wider digital transformation within organisations, boosting transparency and giving businesses the opportunity to re-imagine their relationship with customers and employees.

By Simon Loopuit, CEO at trust-hub