Privacy by Design is pivotal to the GDPR and so, board members and C-suite executives must understand all requirements of the GDPR. Privacy by Design will put the responsibility on businesses to ensure that they have policies that are compliant and that they implement the correct procedures and systems from the moment any products or processes are developed. Every single area or department of a business that handles personal data, regardless of the stage of its lifestyle, must ensure that data remains secure and that they have been given permission to use it in the way that it was originally intended. A Data Protection Impact Assessment (DPIA) bust be undertaken by businesses when they begin using new technologies and in particular, when processing it is highly likely to result in there being a high risk to the rights and freedoms of individuals. This high risk could relate to information that contains special categories of data, which could include criminal convictions or disabilities.

Within 72 hours of becoming aware of a data breach, GDPR will require it to be reported to the relevant supervisory authorities. If businesses fail to notify the authorities of a breach, there could be a fine of as much as 2% of its turnover or as much as 10 million Euros. The Data Protection Officer (DPO) within the business will have the role of reporting data breaches. However, every department will be expected to have the correct processes in place to ensure that they are alerted should a breach take place. There will also be an expectation for businesses to report a data breach to the public, depending on its nature and severity – this will have to be carried out with minimal delay.

We live in a world where the volume of data that is shared every day is growing at an incredible rate. It is expected to continue to grow over the next few years and into the future, highlighting the importance of handling data in the correct way. The majority of data consists of unstructured electronic information such as messages, emails or photos, which means that it is not stored in a structured database. Businesses will be required to document all personal data that they hold under GDPR. They will also have to document its origin and where it has been shared. If businesses are unable to do this by May 2018, they may be required to create an information audit. As part of GDPR and to ensure they compliance, businesses will have to maintain a high level of data hygiene. Therefore, they will be expected to put the correct measures in place to ensure that they meet the basic principles of data protection. This could include the likes of pseudonymisation, data minimisation as well as maintaining a high level of security as an ongoing concern. Under GDPR, managing data badly can lead to severe fines and that means that data security policies are no longer enough because they have to be seen to enforce them and communicate them.