Oh No, it’s another GDPR Blog.
The new General Data Protection Regulations come into force on the 25th May 2018.
You cannot fail to have heard off and/or read about the ‘biggest change to data protection in the past 20 years™’ so what we don’t want to do is rehash the same old information.
If you’ve not heard of it before here’s a basic guide (I actually don’t like the term idiots guide in this case – if you don’t know it doesn’t make you an idiot!).
First a disclaimer: we are not (unlike many other IT consultants, MSP’s, or guys who read an article on LinkedIn) suddenly GDPR experts. We are aware of our limitations. We are also aware that there is no GDPR silver bullet, no amazing firewall, anti-virus programme or any other piece of technology that makes you ‘GDPR compliant’.
Technology plays a part, and we can help with that. But it’s a very small part, there is more to GDPR including processes, procedures, staff training and continued monitoring. If you’re technology provider is ‘looking after’ GDPR for you then I would be very concerned.
The aim of this blog is to try and help you navigate the huge amount of information, miss-information, ‘expert’ analysis and downright scaremongering out there and find out the best sources of real, useful, actionable GDPR information.
Where to get help
You know what GDPR is and that you need to do something about it, so where do you start?
Well if you’d like the complete picture (or you can’t sleep) here is the whole regulation. It’s 261 pages long and you must read it completely – or not, up to you really.
If you’ve got neither the time nor inclination to read and interpret an entire EU regulation document then a) we don’t blame you and b) you need to pick your information sources carefully.
The one we recommend for everyone to start with is the Information Commissioners Office.
In short this is the government office that will be enforcing the new regulations. It therefore seems an eminently sensible place to start! Think of it as the Health & Safety Executive for Data Protection.
There is even a helpline for small businesses to ask questions. The phone service is aimed at people running small businesses or charities. To access it dial the ICO helpline on 0303 123 1113 and select option 4 to be diverted to staff who can offer support.
The ICO have issued a document called GDPR 12 Steps To Take Now which, unsurprisingly gives you 12 steps to take now! However, we would add a step before the 12 published:
Here is a direct quote from the ICO document we’ve mentioned above:
“Many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act (DPA), so if you are complying properly with the current law then most of your approach to compliance will remain valid under the GDPR and can be the starting point to build from.”
Whew! That’s a relief, right?
But there follows a note of caution:
“However, there are new elements and significant enhancements, so you will have to do some things for the first time and some things differently.”
But what are the ‘new elements and significant enhancements’? This is surely where our efforts need to be focused.
The main changes from the old regulations are summarised by the EUGDPR website here – https://www.eugdpr.org/key-changes.html
This is a document you should read, it will probably help you identify the areas you need to focus on.
If you’ve been reading about GDPR these should come as no surprise and there aren’t actually that many of them.
These are the areas around which you are most likely going to need to develop new processes and procedures. You’ll also need to train staff how to deal with data access requests and individuals requesting their details be forgotten.
Another good information source we’ve found is The GDPR coalition This is an Irish site and they produce some nice, simple infographics alongside lots of information.
What other help is there?
We’re not rubbishing all GDPR consultants, nor are we going to say only use the one’s that we work with. We want this blog to try and retain a bit of impartiality.
If you’ve completed your information audit and you’re high risk you may want an external consultant.
If you are going to do so, make sure you do some due diligence. Personal recommendation is always good but also look at qualifications and experience. Get a CV and ask for some documentation and testimonials to back it up. And check the CV. Call or email the ex-employers and make sure the role is what the person says it was!
Many of you will be able to go it alone, so where else can you turn?
We are going to go out on a limb here. If you’re using reputable 3rd party software, things like MailChimp, HubSpot, SalesForce, sage, QuickBooks etc. then those products are going to build in some help with at least some of these areas.
If you’re using any 3rd party software to collect, process, transfer or store data have a look at their websites. As an example, MailChimp have released their own guide to the GDPR which details how they preparing for GDPR and information on making your use of MailChimp GDPR compliant.
Whilst we are not suggesting that you delegate responsibility for your data, the producers of these products will be working toward GDPR compliance and that can help your compliance.
It might be time to move those customer details out of that old excel spreadsheet and into a proper CRM system!
OMG, have you seen the size of the fines?!
The biggest tactic for scaring businesses about the GDPR is the fines. They are massive, £17m or 4% of turnover whichever is HIGHER. These are scary numbers, and we’ve been as guilty as anyone of publicising those numbers.
The reason we’ve done that is because the numbers scared US, and we wanted our customers to know about them. Taking no action on GDPR isn’t an option.
There are more selfish reasons too. If one of our customers suffers a data breach they will ask questions of us as an IT provider. We want to work with our customers in the lead up to GDPR to help them become compliant, not get into a ‘blame game’ if the worst happened. We want customers to understand both their and our responsibilities when it comes to data protection and the big, scary numbers make people ask questions. Also, if any of our customers get a £17m fine they’ll go out of business so we’ve lost that customer. And we like our customers.
But there is more good news. This comes directly from the excellent blog of Elizabeth Denham, The UK Information Commissioner or, as we prefer to call her, the God of GDPR:
“This law is not about fines. It’s about putting the consumer and citizen first. We can’t lose sight of that.
Focusing on big fines makes for great headlines, but thinking that GDPR is about crippling financial punishment misses the point.
And that concerns me.
It’s true we’ll have the power to impose fines much bigger than the £500,000 limit the DPA allows us. It’s also true that companies are fearful of the maximum £17 million or 4% of turnover allowed under the new law.
But it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm.
The ICO’s commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR. We have always preferred the carrot to the stick.
Our Information Rights Strategy – a blueprint for my five-year term in office – confirms that commitment.
And just look at our record:
Issuing fines has always been and will continue to be, a last resort. Last year (2016/2017) we concluded 17,300 cases. I can tell you that 16 of them resulted in fines for the organisations concerned.
And we have yet to invoke our maximum powers.
Predictions of massive fines under the GDPR that simply scale up penalties we’ve issued under the Data Protection Act are nonsense.
Don’t get me wrong, the UK fought for increased powers when the GDPR was being drawn up. Heavy fines for serious breaches reflect just how important personal data is in a 21stcentury world.
But we intend to use those powers proportionately and judiciously.
And while fines may be the sledgehammer in our toolbox, we have access to lots of other tools that are well-suited to the task at hand and just as effective.
Like the DPA, the GDPR gives us a suite of sanctions to help organisations comply – warnings, reprimands, corrective orders. While these will not hit organisations in the pocket – their reputations will suffer a significant blow.
And you can’t insure against that.”
Lengthy I know but both comprehensive and clear – the ICO are here primarily to help not to issue fines.
What can Your IT do?
We’ve emphasised a lot of what we can’t do in this blog, but we can help. Honest!
We can provide you with a free cybersecurity check which will identify any gaps in your current technical solutions. We can also refer you to one of our GDPR consultancy partners who can help you on your compliance journey. Fill in a contact form or call us on 0115 822 0200 if you’d like a check or to speak to a partner.