GDPR preparation: 2018 data protection changes

Your GDPR preparation timeline

One of the primary challenges for small businesses when facing GDPR compliance is budget. As Clearswift's Dr Guy Bunker pointed out before GDPR came into effect, you now have approximately two years to get compliant so if you start allocating budget this year, you can split the cost down the middle by spreading it over the two-year period.

However you arrange your budget, Dr Bunker advised small businesses need to have been ready six months ahead of the GDPR-compliance deadline, so there's a buffer in place to accommodate the hitches that will appear along the way. Here's what you need to have been doing and when.

First 6 months: If your organisation has more than 250 employees, then you'll need a data-protection officer (DPO). If you don't already have one then this post should be filled sooner rather than later, so that they can be involved in the journey towards compliance.

6 -12 months: Work out where new procedures need to be introduced, such as security and breach notification. You should aim to get this in place early, so you have plenty of time to disseminate new policies and test new processes around your business.

12 - 18 months: Start conversations with suppliers and data processors to discover how they'll protect your information and respond to requests for data deletion. Look at tools to help in discovery, especially for "right to be forgotten" requests, which need to be done in the next two years.

A risk-based approach to the rules

Over the past six months, we have had a lot of official guidance for SMEs to come from national bodies such as the Information Commissioner's Office. This has helped clarify and dictate the detail of what specific industry sectors must have done to be GDPR compliant.

Before GDPR came into effect, we had asked Christine Andrews, managing director of data governance, audit and consultancy firm DQM GRC for her advice, which still applies today and should be carried out immediately if businesses have yet to become fully GDPR compliant.

"First, organisations need to evaluate the personal data they have," she told us. "Categorise the data so you're clear where the personal and sensitive data resides, and where other, less important data sits in the company. Usually, drafting a data map will help businesses to understand the pattern of data through the company, provide clarity on who has eyes on the data, indicate what skills these people have and, finally, highlight where the data ends up.

"Once organisations understand just what personal data they're holding, they should then ensure that regular risk assessments are completed, in order to understand the level of threat imposed on the company when processing data.

"The GDPR, in fact, demands a risk-based approach with the development of appropriate controls. This should, in a single stroke, ensure that management recognises the dangers associated with the loss, misuse, theft or any other compromise of customer data. For organisations that pass data onto others, there is a tendency to presume that third parties operate to high standards of data security and protection. The GDPR now requires controllers to obtain sufficient guarantees of this before engaging with processors.

"Basically, as the data owner, you must check that the organisations you're working with have effective technical and organisational measures in place to ensure the security of the processing."

WATCH: Learn more about the security threats facing businesses today and how to combat them in this free webinar WATCH NOW

Keumars Afifi-Sabet
Features Editor

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.