The introduction of the GDPR brought tougher sanctions, more rights for individuals, and a wider territorial scope, meaning that any non-EU organisation that does business in the EU is obliged to comply.
Since its introduction, there have been some hefty fines issued which indicate the need for GDPR training courses. Another notable change the GDPR has brought is that the appointment of a Data Protection Officer (DPO) is mandatory for organisations that are public authorities or bodies.
The need for guidance on GDPR compliance
Despite the GDPR being in effect for four years, many companies are not GDPR compliant. A recent study indicates that nearly three-quarters of UK companies don’t follow GDPR data request requirements and about a third of EU companies are not GDPR compliant.
Previously, under the Data Protection Act (DPA), failure to comply with data protection rules could lead to firms being fined a maximum of £500,000, with the highest to date being around £400,000. However, with the GDPR, penalties are much tougher and will result in firms potentially being fined 4% of their annual global turnover or EUR 20 million, whichever is the highest.
Top tips for GDPR compliance
- Get the tone from the top right
- Appoint a Data Protection Officer
- Be proactive & aim for data protection by design
- Measure and mitigate the risk
- Know where your data is & get familiar with data sources
- Categorise your data
- Have detailed plans in place in case it goes wrong
- Educate your staff
- Determine if your data can be deleted
1. Get the tone from the top right
Consider holding events and roadshows, creating resources, or organising presentations by the CEO and board to create awareness and demonstrate your commitment to data protection at the highest level. If it matters to you, then it will matter to everyone else across the organisation.
2. Appoint a Data Protection Officer
This applies if you have over 250 employees in your company. They will act as the main go-to person for all data protection activities within your firm.
3. Be proactive & aim for data protection by design
Think about how you might integrate data protection into all your processes so data protection and privacy issues are prioritised. Carry out and document Data Protection Impact Assessments (DPIAs) or Privacy Impact Assessments (PIAs) to strengthen protections for individuals.
4. Measure and mitigate the risk
As a board, be sure to spend time discussing your cybersecurity and information security issues. What is your risk profile, your attitude to different risks, and your appetite in respect of data breaches?
Are cybersecurity and information security issues included in your risk register? Are there named risk owners and specialist teams to track and manage the risk? What role do Audit and Compliance play now and how will this change in future?
5. Know where your data is & get familiar with data sources
It is impossible to comply with data protection rules if you don't know what data you hold and where it is, so having visibility of your data at all times and knowing what it consists of is crucial.
6. Categorise your data
Even though all of your data certainly does have relevance and importance, some data will be more significant than others. Categorising your data according to its value within your company will help to reduce the risk of security breaches.
7. Have detailed plans in place in case it goes wrong.
Get your business ready for any possible negative situations. This means having detailed plans and costs in place that can be consulted in the event of such outcomes.
GDPR guidance states this must be written in plain English so it could be that your privacy policies need to be revised and re-written.
9. Educate your staff
Train your employees up and make sure they understand what the GDPR means for them. It is important to ensure that all employees are on the same page to avoid unintential GDPR breaches.
10. Determine if data can be deleted
Under the GDPR, all customers have a "right to be forgotten". Any individual can request their details be deleted. Unless you require these details for tax purposes, you are obliged to delete them from all systems. It is important to ensure that you have the ability to do this in a timely manner.
Want to learn more about GDPR?
To help you plan and execute compliance in your organisation, we have created a comprehensive GDPR roadmap.
We also have 80+ free compliance training aids, including assessments, best practice guides, checklists, desk aids, eBooks, games, posters, training presentations and even e-learning modules!
If you'd like to stay up to date with GDPR best practices, industry insights and key trends across regulatory compliance, digital learning, EdTech and RegTech news, subscribe to the Skillcast Compliance Bulletin.
Last but not least, you can interact in person with thought leaders and your peers at one of our popular live webinars and face-to-face events.
If you've any questions or concerns about compliance or e-learning, please get in touch.
We're happy to help!