Chances are that if you ask your leadership, marketing, HR or IT director what they're doing to prepare for the new EU General Data Protection Regulation (GDPR), you'll open up a can of worms.
Research shows:
- 20% of IT decision-makers in the UK are still unaware that GDPR even exists. (Trendmicro).
- Almost one-third (32%) of people surveyed believe the chief information officer is responsible for GDPR-related changes, 21% the chief information security officer, 14% the chief executive officer, and 10% the chief data officer. (Centre for Information Policy Leadership).
- Only 56% of directors confirmed that they "have a formal cybersecurity strategy", let alone a GDPR strategy. (Institute of Directors).
Lack of awareness, transparency and clarity around GDPR is causing a lot of confusion.
Who's responsible for GDPR? Who does it impact? How should each employee approach the new requirements to stay compliant?
GDPR and data privacy compliance are closely related to a company's data strategy, big data and analytics, and data-driven innovation. It's the responsibility of every employee.
To help you develop a plan for engaging your employees, we've grouped your different stakeholders and set out their key requirements. Use this plan as a starting point, and develop it however you need to suit your own organisation.
| Stakeholder group | How you're affected | What you must do |
| Leadership |
Fail to conform to GDPR and you could be fined up to 4% of your annual turnover and face considerable damage to your brand. |
Invest in training and providing the time and resources needed to make the changes. |
|
If you have 250 or more employees, you must keep auditable records of how you process personal data. |
Keep reliable records of all your data-processing activities. |
|
| IT teams |
All your processes and procedures for managing data must include data protection by design. |
Secure and encrypt all data, and track who's allowed to use or create new copies of data records. |
|
Data subjects are entitled to see any data you have saved about them. |
Ensure you can make all information available in a format that's clear and understandable. If a customer wants to move to another company, you should be able to give them their data in a portable format. |
|
|
If your systems are hacked, data subjects have the right to know whether their data has been stolen, and when this happened. |
If there is a data breach, you must notify the supervisory authority (the main data protection regulator yet to be determined) no later than 72 hours after you became aware of the breach. |
|
|
Data subjects have the "right to be forgotten" and their data deleted once it's no longer needed. |
Implement a strong policy for how and when you'll delete data. You may need to consider what data you need to keep for archiving purposes. |
|
| Marketing teams | You can no longer send marketing emails without the recipient first having opted in to receiving them. |
Every one of your data subjects must acknowledge that they're willing to be marketed to. You cannot accept silence as consent, pre-ticked boxes are banned, and you need to specify cookies policies more clearly. |
|
Data subjects have the "right to be forgotten" and their data deleted once it's no longer needed. |
Avoid collecting data for unnecessary or frivolous reasons, and consider whether you really need to know phone numbers, income, job titles etc. |
|
| HR and customer accounts teams |
If you're a public authority, or a private company that regularly monitors or processes lots of sensitive data, you'll need to appoint a data protection officer. |
Appoint a data protection officer to (1) advise on GDPR obligations; (2) monitor compliance; and (3) liaise with the data protection authority.
|
| There are tighter restrictions on how you store and process data on your own employees, and employees can withdraw their consent to this processing at any time. | Consider what data you store on your employees and how you obtain their consent, and have systems in place for employees to withdraw their consent. |
What you should do now
After your initial stakeholder meetings, we'd recommend using our GDPR quiz to test how well your stakeholders understand their requirements. Find the quiz in our toolkit at the link below.
Continue for Part 3 of our GDPR series, 'How to get started'.
Share your thoughts on this article