Sprout IT: Five things all financial director's should know about GDPR
1. Subject Access Requests – You will no longer be able to charge people for dealing with their requests and on top of that to put even more pressure on resources allocated to the task which can often be time consuming, the 40 day deadline has been reduced to just one month. Someone needs to be responsible for this!
2. Budget allocation. – Business leaders will have to assign resources into raising staff awareness of the new regulations and ensure the correct structure is in place in order to be compliant. Therefore a budget will need to be allocated to fund these compliance and training activities.
3. Significant fines – The information commissioner’s office (ICO) can impose fines of up to £17m ($20m) or up to 4% of global turnover, whichever is greater, for business who breach the regulations. This has the potential to bring a company to a standstill and severely affect the certainty of the future of the business. Given the ICO will need to fund the operations behind these fines it is highly likely they will start imposing fines as soon as the legislation goes live. A very significant factor to those in charge of the business and one not to be ignored.
4. Consent – Businesses must obtain positive indication of agreement of personal data being processed. This consent cannot be inferred from silence, pre-ticked boxes or inactivity. Sounds like a big job right? Correct – think, plan and take action!
5. Contractual changes – The GDPR insists on extra information to be supplied to individuals, including the need to identify the legal basis for processing data, the retention period and the right they have to complain. Again planning, contractual changes and communication equals time and money.
The theme from above is to plan your approach to the changes. Ensure there is one, make someone responsible for executing the plan, allocate a budget for it and communicate to all stakeholders of the business.