Keep calm and prepare for the GDPR
Head of HR Services - Strategi Solutions Group
Many of us will have recently enjoyed New Year’s Eve celebrations with family and friends; a time for seeing out the old year and welcoming in the new as the clock strikes midnight. It is also a time for reflecting on what you would like to achieve, maybe change, in the coming year.
For businesses and organisations, the clock is continuing to tick, what may feel increasingly quicker, towards 25th May 2018 – the date that the new General Data Protection Regulations (GDPR) come in to effect.
With many organisations having previously adopted a ‘wait and see’ or ‘we’ll look at this in the new year’ approach, with less than 5 months to go, there is a fear growing about the changes that this new law will bring.
I’ve heard many people liken GDPR to the Y2K bug. Cast your mind back to December 1999 when people were worried that as we entered the new millennium, the world would be thrown into chaos with computer networks crashing, banks collapsing, power grids going down and even prophecies that planes might start falling out of the sky!
Luckily, the predictions about GDPR do not appear to be on the same scale as the Y2K bug. Also, there is one significant difference - the Y2K bug was an uncertainty. GDPR on the other-hand, regardless of any Brexit actions, is a certainty and the impact of it is not a complete unknown.
As the 25th May approaches, talk of GDPR continues to grow with increased press coverage – some good but there is also a great deal of scaremongering which implies that Information Commission Office (ICO) will be imposing huge fines of up €20million (up from £500k), or 4% of annual turnover worldwide, for both breaches and failure to report breaches.
Most of this is simply not true and it is important to demystify the fact from the fiction. Yes, there are changes and yes, there is considerable work to be done to gear up and get ready for the new data protection landscape. It is also true that the ICO will be monitoring and enforcing the new regulations.
However, they believe they will act as a ‘fair and proportionate regulator’, only issuing fines as a last resort. Therefore, GDPR is not intended to simply scale up penalties compared to its predecessor, the Data Protection Act 1998. Elizabeth Denham, the Information Commissioner, has even said “what is foremost in regulators’ minds is not to punish the organisations, but to make them better equipped to deal with security vulnerabilities”.
Much of the new regime is based upon the existing Data Protection Act and so it is an ongoing evolution, rather than a revolution of the existing law.
The keys steps that should be taken now to prepare for the changes are:
1. Commitment – organisational preparation from the top down, across the entire organisation, not just senior leaders and / or functions such as HR and IT. Every organisation needs to develop a culture of transparency – where all employees, customers and clients know what data you hold, how / where you store and that there is a legal and legitimate basis for processing it.
2. Analysis – complete an audit (data protection impact assessment) of what personal and sensitive data you hold, its source and whether any third parties require access to this data and ensure that your supply chain is also GDPR compliant.
3. Action – ensure you have the correct policies, procedures, notices and contracts in place to be GDPR compliant. Identify whether you need to appoint a dedicated Data Protection Officer or if not, that you have a similar, accountable person in place. The public must be able to give consent for you to hold / process their personal data but they also need to know who to go to if they have any concerns, or even wish to withdraw that consent.
4. Security – ensure you have rigour in ensuring you identify and implement appropriate measures to defend yourself against cyber threats.
5. Awareness – train your employees on information security across the entire business. Criminals have great minds and capabilities, but people within your own organisation are your greatest weakness. If they do not understand the importance of data and security privacy, you are far more like to be at risk of a breach, even an unintentional one. Regular refresher training is therefore a necessity.
In a world of increasing online activity and transactions, with that inevitably comes an increase in cyber-crime. Whilst GDPR will not eradicate that risk, the new law will ensure that organisations take serious measures to increase privacy and security, deterring and limiting the ability for breaches to occur. In turn, as individuals, this gives us a greater level of trust and confidence that data protection is being regulated across all sectors, industries, and technologies.
As we start 2018, we can reassure ourselves that the GDPR does not present the same levels of uncertainty as the Y2K bug. It’s a certainty that presents an opportunity to ensure compliance of good data protection practice; benefitting us all - whether that be in the capacity of an employee, client or customer.
So, if you are looking for a remedy to that new year hangover, the solution is to make yourself one resolution this month – to ensure that you / your organisation prepares for the GDPR introduction on 25th May 2018. This will be particularly important if you are a medium to large organisation operating across multiple locations. If you make and execute a plan to have the correct roles and responsibilities, policies and procedures in place, hopefully, the only headache you will be left with is from one too many tipples during the end of year festivities!