Impact of GDPR and what you need to consider
The upcoming General Data Protection Regulations (GDPR) expands the scope of data protection; mainly by expanding the rights of individual data subjects. Clients must explicitly give their consent for their data to be processed, with the responsibility to handle the information resting with the holder.
The GDPR is designed to evoke benefits of the digital services available for citizens as well as businesses. Primarily to help mitigate risks and inspire confidence in how user data is managed by the businesses they entrust with it.
Many IT leaders already realise the significance of data protection, yet admit more action needs to be taken to follow through on the importance of the matter. Approximately 30% of IT decision makers admit that they do not know if there are contingency plans for securing data within their workplace. Organisations will need to adhere to the changes from the day it’s implemented, however, failure to do so can lead to fines of 4% of annual turnover.
Companies will have to appoint Data protection officers (DPO) to handle the GDPR implementation. It will be imperative that each organisation has sufficient staff with the appropriate skills to handle their GDPR obligations.
The DPO’s minimum tasks as defined in Article 39 of the GDPR are:
- To inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws.
- To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits.
- To be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).
See the Information Commissioners (ICO) accountability and governance guidance for more info (https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/accountability-and-governance/)
The role can be allocated to an existing employee within the organisation as long as there is no conflict of interest; no specific credentials are needed however it does require the employee to have experience and knowledge in data protection law.