GDPR comes into effect on 25th May 2018. It is set to improve the control EU citizens have over the data that organisations hold on them. As a result, it has huge implications for the way organisations manage their data – and the staff they are recruiting.
A recent survey published in Computer Weekly has found that 64% of CIOs plan on hiring temporary or interim staff to manage the changes in data management and reporting that GDPR is bringing .
There are also increasing numbers of permanent opportunities for Project Managers, Business Analysists and Data Protection Officers. The Computer Weekly survey found expected demand for these roles for 33%, 26% and 26% of the managers questioned respectively.
With these kinds of requirements brewing, candidates with the required technical and project management skills will be in short supply.
However, the slow response of British business to GDPR has been widely noted in the press. The UK regulatory authority, the Information Commissioners Office (ICO), has warned that businesses need to start preparing now.
This presents an opportunity for those businesses who do act now to recruit the best of the available talent pool. The recruitment of professionals with the skills needed to help prepare your business for GDPR – project management, compliance, data management, analytics, and communication – will have implications beyond GDPR.
The UK Government announced over this summer that it is planning the introduce new legislation to strengthen data protection in the UK in order to bring UK legislation in line with GDPR even after Britain has left the EU. This will be essential to ensure the flow of data between the UK and Europe is not disrupted in the event of Brexit, after which the UK Government will need to be able to demonstrate equivalency.
Even though the GDPR only requires public authorities and organisations engaged in profiling to appoint a Data Protection Officer (DPO), a survey by the International Association of Privacy Professionals (IAPP) would require more than 75,000 DPOs to be appointed ahead of May 25th, 2018.
For smaller organisations which do have significant quantities of customer data or that are engaged in profiling, recruiting a dedicated DPO or GDPR lead might not be financially viable. Smaller organisations are left with an unenviable search for temporary staff in a very stretched resource pool.
Bringing in third party help may be a more realistic solution, at least in the short term. The first step, of course, is to make yourself familiar with GDPR and the impact it is likely to have on your business.
We published an article a few months ago on GDPR; busting some myths and telling you what you need to know…
‘What does it mean for businesses?
• Businesses may not store or use any person’s personally identifiable information without express consent from that person.
• If a data breach is detected, businesses have a responsibility to notify everyone affected by the breach and the supervising authority within 72 hours.
• Businesses that monitor data subjects on a large scale or conduct data processing must appoint a data protection officer.
• Business need to be able to demonstrate that they are complying with these requirements.’
‘Does it apply to all businesses?
Big consumer-facing organisations will be most affected by GDPR.
However, any organisation that provides support to these organisations and touches their data – such as software providers, cloud providers, or outsourcing companies – will need to ensure that they also comply with GDPR.
GDPR does make the distinction between data controllers and data processors and outlines specific legal obligations for each. Processors of data will be required to maintain records of personal data, consent, and processing activities. Processors will have more legal liability in the event of a data breach. However, even as a controller you must be able to demonstrate you are complying with GDPR.’
‘What should organisations be doing now to prepare for GDPR?
The first step is to get specialist legal advice from a specialist in EU GDPR to ensure that your efforts to meet the GDPR’s requirements are well directed.
In addition to the points we’ve mentioned above, you will also need to conduct Data Protection Impact Assessments (DPIA) and have integrated measures to ensure data protection. You will need to establish a DPIA framework which integrates with existing risk management and data processing activities.
It is also important to be talking to your IT, cloud, and marketing suppliers about their compliance with GDPR. You will need to add clauses into your contracts with them, and your terms and conditions for customers, about how you and they are handling and managing personal data.’
Another good starting point is the 12-point guide for small businesses published by the ICO.
If you are unsure about how to apply this guide to your business, or would like help making plans for compliance, adapting business processes or mapping the data held within your organisation, Grant McGregor consultants are on hand to help.
For advice or assistance, call our team now on 0808 164 4142.
Image source: Freerange Stock