The EU's General Data Protection Regulation (GDPR) will have a definite impact upon your business - isn't now a good time to get started with the implementation process.

_{September 30, 2017}

Legislation has been brought in by way of EU Regulation to come into force May 2018.

.

In May 2016, a new EU Regulation and Directive was released to govern the protection of personal data, the General Data Protection Regulation (GDPR). It will enter into force after a two year grace period, in May 2018.

We at, John M Shanahan & Co, Chartered Accountants, Tullamore, Co Offaly have looked at the possible effects on your business and implementation requirements that need to be put in place. 

With just seven months to go enterprises need to get active to evaluate what it means for them and how they need to prepare.

The objective of this new set of rules is to give citizens back control over of their personal data, and to simplify the regulatory environment for business.

Data protection laws are not new in the EU. However, the new GDPR rules presents some significant impacts and changes to current data privacy regulations. First and foremost it is now a regulation with full force of the law, valid across all EU countries; even the UK post Brexit are committed to its implementation.

The other important aspect is that GDPR now imposes substantial fines upon individuals and enterprises that do not adhere to the law, so we must take note.

Collecting and processing data.

This activity is legitimate as long as it serves a justified purpose, as defined by GDPR, for example “if data processing is needed for a contract, for example, for billing, a job application or a loan request; or if processing is required by a legal obligation, then the entity is justified in collecting and processing that data.

Such justified purposes for storing and retaining personal data are, for example, laws that govern retention of content, such as tax relevant data and documents, where retaining the scanned vendor invoice or a customer bill is not only justified but is also an obligation.

Preparing your Business for GDPR.

Firstly, with regards to aspects of storing personal data for a justified purpose, enterprises need to set up policies and procedures – not only to retain content as long as they are obliged to do by law such as including your customers, suppliers and service providers, taxation or product liability laws, but also to delete content in a timely fashion when it is no longer needed respectively the justified purpose for retention has expired.

The second core element to the obligations is that personal data must be defended and secure at all times – in transit or while at rest.

The International Association of Privacy Professionals recommends some of the security actions to undertake include:

• The pseudonymization and encryption of personal data;
• The ability to ensure the on-going confidentiality, integrity, availability and resilience of processing systems and services;
• The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
• A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

Technical Infrastructure.

It’s clear that the correct technical infrastructure has a key role to play when implementing the GDPR. Organizations will really struggle if they continue to hold mountains of information. Instead, they must have a clear end-to-end view of all the personal data they hold. This is both structured and unstructured data – everything from e-mails and social media behaviors to contracts or service documentation.

This does require a significant change in thinking.

Organizations will need to introduce Privacy-by-Design and Data Protection-by-Design as core foundations of their infrastructure.

The DPC has prepared an introductory document to help in preparing for GDPR: “The GDPR and You”.

This document lists 12 steps which business should be considering to be GDPR ready by 25 May 2018.

 We at JOHN M. SHANAHAN & CO. are here to help you with all your accounting, business, financial and taxation requirements, by providing expert, specialist and professional service tailored to meet your needs.

Phone 057 93 22100 or email info@shanahan.ie or use our contact form here- Contact Form.