With the new EU General Data Protection Regulation (GDPR) coming into force on May 25 2018, PrintIT Reseller asks this month’s panel what steps they are taking to ensure compliance with the new rules
There are significant differences between existing data protection laws and the new GDPR requirements, are you finding there is a lot of ground to cover to achieve compliance?
Colin Griffin, Managing Director, Blackbox Solutions: “In a data-driven world, the existing data protection laws from 1995 are now inadequate. The new GDPR includes key changes to regulations including amends to data handling standards, consent and penalties if laws are breached. In short, there is a lot of ground to cover!
“Blackbox has recently been certified with the information management security management standard ISO: 27001, so we are well prepared for GDPR and are now in a position to support our clients through the process.”
Matt Goodall, Service Director, Office Evolution:“There is a mountain of reading and procedural practice to put in place, but the good news is you have until May 25 2018 to do it. The Information Commissioner’s Office has produced guides to help you, but with such a significant change there will need to be time for adjustment before the rules can be strictly enforced. There will no doubt be simpler step-by-step guides to follow, but larger companies are definitely going to have a more complex route to compliance.”
Mark Smyth, CEO, Vision: “There are significant differences in compliance from the DPA 1998 and GDPR, and we are currently working through a comprehensive check list of actions for compliance and also creating awareness within our business, as well as for clients. One step we took early on was to become Cyber Essentials PLUS certified, which has been a great health check and process for becoming compliant and minimising security risks within our organisation.”
Melissa Odawa, Legal Affairs Executive, KYOCERA Document Solutions UK: “GDPR requirements are more extensive than current local data protection laws, with tougher sanctions, the introduction of a data breach notification, a higher bar for accountability and governance, and greater individuals’ rights. Kyocera takes these changes very seriously and has started a project to implement these changes in its EU subsidiaries.”
Graham Herrington, Managing Director, Managed Print Partners:“Yes, there are lots of key differences that will come into effect with the change. A major one is that you will now need paperwork-based evidence for all data flows, as you will need to be able to prove where each and every bit of data came from. This will require much more stringent workflow processes to ensure compliance.
“It also now offers greater protection over electronic data processing. This is very much needed for the 21st century, but may require some serious software and hardware updates for some companies.”
PITR: One commonly voiced concern is the significant resource implications that implementing GDPR could have, especially for larger or more complex organisations. Has this affected your business?
Colin Griffin: “The new GDPR introduces more stringent and prescriptive data protection compliance challenges. These changes will impact on all types of organisation – regardless of size – and businesses need to act now to assess what changes they will need to make to their current data protection compliance initiatives.
“To comply with GDPR, businesses need to commit significant resources or get support from a company like Blackbox Solutions. With ISO: 27001 compliance, Blackbox Solutions is prepared for the changes and consequences for our business and sector.”
Matt Goodall: “Without a doubt! The larger organisations are going to see the complexity of the new regulations having a greater effect. Whereas a smaller company may have a single controller and processor of data, larger organisations may well have multiple controllers and processors all needing to liaise and comply with new procedures. As a smaller company, we will have a single point of responsibility. We have to comply with the same regulations, though, and will have to review our procedures to ensure we are fully compliant.”
Mark Smyth: “GDPR has certainly impacted our business, and we have been streamlining and updating our infrastructure to improve security and become compliant. The more elements of data processing and data controlling you have, the more there is to deal with for compliance and to ensure you meet the new requirements.
“Our Cyber Essentials PLUS accreditation was a significant project requiring substantial resources and investment in more advanced infrastructure. In many cases, there is also a business benefit and increased efficiency and functionality, as well as improved security and compliance.”
Melissa Odawa: “The GDPR is one of the most comprehensive law changes affecting businesses that the EU has seen. Kyocera has taken all necessary steps and will continue to take all necessary steps to implement these changes throughout its subsidiaries before the GDPR takes effect on May 25, 2018.”
Graham Herrington: “GDPR will impact the resources of all organisations, irrespective of size. Workload is similar in any sized organisation, as available resources seem to mirror size. For example, a larger organisation is more likely to have identifiable stakeholders in place to manage it as a project within a team. Whereas a smaller SME team member is likely to wear multiple hats and have a wider remit across departments, which in some ways makes it more complicated.”
PITR: Experts advise making sure that someone in the organisation, or an external data protection advisor, takes proper responsibility for data protection compliance. Some organisations will also be required to appoint a Data Protection Officer. How are you managing this in your business?
Colin Griffin: “We have appointed a dedicated compliance manager, Stephen Nolan. Stephen has completed the EU GDPR Foundation course and has expert knowledge in data protection laws. He will be responsible for overseeing GDPR on behalf of Blackbox and will also offer compliance guidance to our clients and other businesses concerned about the impact of GDPR.”
Matt Goodall: “We have grasped the procedure early and are doing all we can to ensure we are compliant for the May 2018 date. We will certainly consider working with an external DPA to ensure we achieve all required standards. Only certain types of organisation, such as Public Authorities or those processing special categories of data etc., need to appoint a DPO, although any organisation can appoint a DPO if they choose to do so.”
Mark Smyth: “Currently, data protection is managed by our ICT team, with high level, board sponsorship. However, we are considering the ongoing management and responsibilities. Many organisations are separating Data Protection and Compliance and I believe that’s going to be the norm in larger organisations, though it may depend on their market sector and just how much data they process and control.”
Melissa Odawa: “As part of the project, Kyocera is building up a network of data protection professionals with knowledge of GDPR. Decisions on instalment of a group DPO, local DPOs, whether internal or external, will be part of the project.”
Graham Herrington: “I would seriously question those experts… GDPR is the responsibility of ALL employees. You need a team of people who manage GDPR responsibility. Ideally, it sits on a board agenda as an item and is reviewed on an ongoing basis – think of GDPR as health and safety for data.
“It is true, however, that some organisations will need a dedicated Data Protection Officer (DPO) and there are clear guidelines as to who those are.”
PITR: What steps have you taken/will you be taking to train staff to ensure compliance is built into day-to-day processes?
Colin Griffin: “Communication is imperative when introducing any new process in an organisation. At Blackbox we have been discussing systems with everyone who will be affected by the changes, and Stephen has been delivering regular training sessions to ensure our staff are up to speed before the May 2018 deadline.”
Matt Goodall: “At present, we are still constructing our procedures and protocols. However, any staff members that handle data covered under GDPR will be advised of any new steps that are required. We have always taken data protection seriously within the organisation and GDPR will further enhance our control and processing of data covered under the regulation.”
Mark Smyth: “We have been talking GDPR at every internal meeting to create and generate awareness – it’s about getting your team to understand where the risks are.”
Melissa Odawa: “Staff training will be part of the GDPR project at Kyocera.”
Graham Herrington: “Education will make the difference here. We’re encouraging everyone to ensure that staff are educated in, and understand, the new legislation so that they can take responsibility for the role they can play – however big or small.”
PITR: One of the requirements of the new legislation is to put procedures in place to detect, report and investigate a personal data breach. How are you managing this?
Colin Griffin: “We have developed a set of clear internal policies and lines of responsibility. Robust breach detection investigation and reporting procedures are already in place, which are all in line with ISO: 27001 standards and managed by Stephen. GDPR is not simply a ‘tick-box’ exercise – organisations need to proactively monitor compliance and be alert to data breaches.”
Matt Goodall: “The guidelines suggest that the easiest way to limit the potential for data breaches is to review, control and limit access to the data in the first place. As the fines for a breach are significant and can be 2% of your annual turnover, it is essential that you have your systems up to date and everyone is aware of how to use them. We are also reviewing how we store data relating to customers; the traceability of actions with such documents; and access to those systems.
“My advice would be: ‘Don’t leave it too late, there is lots to comply with’.”
Mark Smyth: “We are currently working through a check-list and process for identifying each business area and data, categorising the data, creating an audit and reporting process, and evaluating and prioritising the risks.
“This will be introduced as a measurements and management process within our organisation come May 2018. We see this as a constantly evolving and continuous process and infrastructure improvement.”
Melissa Odawa: “Some countries, like the Netherlands, already have legislation in place for reporting data breaches. Therefore, Kyocera already has a process for this. Managing data incidents is in scope of the Kyocera GDPR project.”
Graham Herrington: “It ultimately means preparing for a breach, then working back from that point to ensure all ground is covered. For example, one company has prepared a mail merge document that can be initiated if a major breach is detected, ensuring the client receives notification within 30 minutes of it being detected.
“As part of the documentation process, it’s vital to include a clear breach procedure that is monitored, checked and maintained. All data flows are tested against this and form part of the overall GDPR project folder.”