The countdown is on: Are you GDPR Ready?

The new General Data Protection Regulation comes into effect next week… is your business ready? Read on to discover what you need to do before the 25th May.


Ramzi Chamat / 8 Ways Media
2018-05-16 07:54:00

An open laptop with a mobile phone and a plant either side of it

The game-changing new General Data Protection Regulation (GDPR) comes into effect across the EU on the 25th May 2018, and with just over a week to go until the deadline kicks in, it seems pertinent for us to acknowledge this very important regulation and give you some final tips and advice before the deadline sets in.

If your organisation is not yet ready for this very important day, read on. With fines of up to €20 million in place or 2% of annual global turnover (whichever is greater) in the event of a breach, GDPR cannot be taken light-heartedly and will absolutely affect all EU businesses – including the U.K. post brexit and Switzerland.

The new legislation is a monumental change to privacy and data protection and any organisation dealing with EU data subjects will be affected. However, Swiss data protection legislation is closely tied to EU regulation, which is why the GDPR will also affect Swiss organisations.

To ensure full GDPR readiness, ensure your business takes the following steps:

1. Document what personal data you hold

The GDPR requires you to keep a record of all your processing activities. Therefore, your business must document what personal data you hold, its origins, how you process it and for what purpose. You must also be able to determine who you are sharing it with.

2. Appoint a Data Protection Officer

It’s vital to designate (or hire) someone who will be responsible for ensuring data protection compliance. This is particularly important for larger organisations or organisations that either collect or process large quantities of personal data.

3. Review your current privacy notes

Review all privacy notices and ensure appropriate changes have been made before the GDPR comes into force. Amongst other things, you will need to explain (in clear language) to people who you collect and process their personal data, the basis for processing their data, the retention period and the right to access the data.

4. Process readiness

It’s obvious that in accordance with GDPR, data must be protected. Acceptable mechanisms for protection include pseudonymisation, encryption and tokenisation, which are being adopted by many companies and can all be used to show compliance with the provisions of GDPR.

5. Be ready in case of data breaches

Under GDPR, data breaches must be reported to the authorities (presumably the Federal Data Protection Commissioner) if the breach is likely to result in a risk to the rights and freedoms of individuals. Breaches must also be reported to the individuals affected. Note that notification is not required if the data has been encrypted, tokenised or otherwise obscured so as to not be intelligible to the attacker.

6. Adopt a Privacy by Design and by Default approach

Privacy by Design and by Default is now a legal requirement and consists of:

Minimising the processing of personal data

Pseudonymising personal data as soon as possible

Transparency with regards to the function and processing of personal data

Enabling the data subject to monitor the data processing

Enabling the controller to create and improve security features

As you can see, there is plenty to do when it comes to GDPR and if you do not feel totally ready for the big day next week, then get in touch or contact our GDPR partners, Sigrid Partners, a Geneva-based GDPR & FADP consultant.

Interested to meet digital professionals?

Let’s discuss your project and try to find the best solution for your needs.