If you process personally identifiable information (PII) in the UK, then you should already be complying with UK legislation – specifically, the Data Protection Act 2008.
However, the General Data Protection Regulation (GDPR) tightens up the control and processing of data for all EU citizens. It is the consequence of the EU’s desire to guarantee individuals’ privacy rights in a digital world.
The biggest difference is that GDPR has teeth. Effective in May 2018, the GDPR requires mandatory notification upon breach, with penalties of up to 4% of global turnover or €20 million – whichever is greater. Custodial sentences will also still be possible for data protection breaches under other UK legislation.
While most, if not all businesses have begun to understand GDPR, many are just not prepared. No doubt your firm will store vast amounts of information on clients, much of which would be considered sensitive data.
Not only is this data held centrally, but it also needs to be accessed by people on the move using mobile devices, via email and other channels. Even the most diligent firm is likely to have compliance gaps, unless they are already well underway with their plans. Put simply, there is a lot to do. It takes time.
To be GDPR compliant you’ll need to demonstrate accountability for how you store, maintain and protect both your client and employee data. You shouldn’t underestimate the effort required to develop policies, embed new processes, educate staff and ensure the right security and encryption is applied to all your devices.
There’s no doubt your firm could implement these changes by yourself. There is a wealth of information online if you have the time and resources to plough through the detail. Yet there is no set of overarching standards or template. You'll have to figure out your approach on your own.
If this doesn't sound very appealing, you can turn to experts like Oosha to help accelerate your readiness and keep you compliant. Not only does this leave you free to focus on running your business, you’ll also have the peace of mind of having a GDPR specialist on hand to provide ongoing advice and support.
Our GDPR service isn't a snapshot, one-off exercise. We help firms assess their readiness initially, but also provide ongoing analysis and tools to help you stay compliant.
We'll help you assess both your operational readiness as well as your information security. Through network scans, on-site interviews and physical security checks we can quickly determine if you a meeting your GDPR obligations. And, if not what needs to be done to close your compliance gaps. Our initial assessment includes:
- Automated, self-running network scans
Scans performed by specialised tools, which are more
- Onsite walk-through & role-based interviews
One of our information security experts will interview your key
- Detailed, practical Risk Treatment Plan
Your current GDPR and information security risks and how they can
The GDPR shouldn't be treated as a one-off, checkbox exercise. Compliance is an ongoing process, so even if you are compliant today things can change - you have to be aware if/when your compliance status is at risk. That's why our service includes regular, scheduled compliance checks. To make sure you stay compliant we provide:
- Ongoing, scheduled network scans
Monthly updates alert you to any new GDPR risks, meaning you will never slip out of compliance.
- Policy and procedure pack
An “out of the box” policy pack that you can tailor to your particular situation.
- Annual compliance review
Our GDPR expert will engage with your DPO on an annual basis to review any ongoing compliance concerns