GDPR (General Data Protection Regulation) will come into force on the 25th of May 2018.
The high fines associated with GDPR non-compliance make this post essential reading for ALL businesses.
The details of this subject are way too extensive to cover in one post, but this will give you an outline so you can appreciate that YOU MUST TAKE ACTION.
First, some interesting statistics:
96% of organisations don’t fully understand GDPR
90% are worried about their ability to comply
26% in 2016 believed their organisation will fully comply by May 2018
22% in 2016 have GDPR compliance as top priority
It surprised me that almost all of my customers and business contacts misunderstand the penalties, the risks and the consequences of failing GDPR compliance.
Lack of awareness and action poses a significant business risk and should be regarded as more serious than filing late tax returns.
I’ve met people who think that fines will go to the European Union or the UK government. Others are unsure whether local or global turnover is used to calculate fines. Some even believe that they will not be affected due to Brexit.
I often hear business owners and leader say “we are aware of GDPR but it's not high on our priority list and I suspect other businesses have the same view”.
Another comment is “I do not really believe the authorities will start issuing fines up to 4% of companies’ global turnover ... that's not realistic or enforceable”
The most worrying is the head in the sand comment of “This is designed for large organisations who store lots of data and are a bigger target of hackers, so there's little chance of us being affected by this ... we are way too small for anyone to care”
If any of the above comments sound familiar then you need to read on.
What data do we have to secure?
All data needs to be secure, but GDPR specifically targets PERSONAL DATA. This is broadly defined as information about a Living Person and where the data can identify this person or persons.
For example, if you have a marketing database or spreadsheet which contains full names, email addresses, phone numbers etc... then this is personal data.
Also, you hold personal data for your own staff and may even share this with external suppliers such as a payroll age
ncy, accountant or HR company. You have to show that you only hold essential data and this is stored in a secure way and you enforce a "need to access only" policy.
Does GDPR apply to B2B organisations?
GDPR applies to all forms of organisations and all sectors including public, private and charities. All of these may hold PERSONAL DATA about employees, customers, prospects, members, donors etc... so the simple answer is YES, B2B firms have to comply with GDPR.
How strict will regulators be?
In a recent meeting with the regulators and European officials some regulators seemed willing to “take industry by the hand” and lead them to compliance. Others want to be enforcers. At the moment, nobody knows for sure how enforcement will take shape.
Non compliance fines are outlined as follows:
10 million Euro or 2% of your turnover (whichever is highest). This will normally apply following a series of offences such as failing to take appropriate security measures.
20 million Euro or 4% of your turnover (whichever is highest). This applies when something seriously bad has happened, such as an illegal data transfer, data breech following hacking or a repeated violation of the law.
The fine sum will almost certainly reflect the awareness that you have of GDPR regulations, the actions that you can prove you have taken and the severity of any data breech.
What triggers an investigation?
With GDPR you have a responsibility to adhere to the regulations and of course you can do nothing and hope for the best. However, would you consider doing this in other parts of your business ... not buying compulsory insurances or making shortcuts in health and safety?
At present there's no GDPR accreditation, so effectively each business self manages their own compliance.
So what triggers an investigation? In most cases a complaint would be made against you or you would self declare a breech.
Regulators could take action on their own initiative If they receive information that a company’s new privacy policy seems inadequate or does not meet standards then this could be reported to the regulators which can trigger an investigation into your organisations compliance.
Competitor OR Customers complaints The level of fines make it more likely that a customer or competitor may approach the authorities either due to a legitimate breech or simply to be mischievous.
You report a breech If you report a breech then an investigation will be opened.
GDPR is very clear - you MUST REPORT A DATA BREECH WITHIN 72 HOURS of it being discovered. Failure is a fundamental breech of the regulations and will trigger a significant fine, even if your prove that you have have been squeaky clean and made all efforts to comply with GDPR regulations.
Not reporting a breech If it's discovered that you have had a breech and not reported this then a case will be opened as your organisation has evidently acted unlawfully.
As with the HMRC, if a discrepancy is highlighted then your organisation will be investigated to identify what has happened and if there are other issues to examine.
Failing to have adequate security
GDPR relates to data stored electronically and on paper, so failing to secure data may trigger an investigation that could result in fines.
You must ensure that you shred paper files and secure all data on servers, computers and portable devices.
What if I lose a laptop or USB stick?
If the device holds any form of Personal Data then this is a data breech and must be reported.
You cannot just buy another device for your employee and ignore the data exposure.
We would advise encrypting data on all portable devices to help minimise the the ability for anyone to access the data. The primary exposure relates to the "man in the street" being able access the information on the lost device, with little effort and technical ability... it's not all about hackers.
Choosing not to report a data breach to avoid regulatory scrutiny or sanctions is not a viable strategy and could increase fines.
Not our fault - we became infected with malware!
Regardless of having strong or weak security your business systems can still become infected. GDPR accepts that this is a fact and takes the level of security that you have into account when there is a data breech.
As part of any investigation there could be a review of your security to assess if you were negligent and if you could have minimised the risks by better securing your data and if you are only storing essential Personal Data that you need now to run your business.
What should we do?
If you have not started GDPR readiness then you need to start now and take action.
There are too many actions to list in this Blog, but essentially you should consider the following.
Appoint an employee to manage GDPR compliance and assess what you need to do
Seek external GDPR advice and assistance. This is a complicated subject and the full compliance details are still fluid as the final regulations have not been set, so engaging with experts is advised and can only help prove your willingness to comply.
Obtain business owner or board buy-in. This is really important as changes will no doubt incur financial costs and process changes which have to be authorised and applied from the top down. Any reluctance to get involved should be countered with clear awareness of the fines and business impacts of doing nothing.
Review IT security and remedy any exposures. Your IT department or external provider should ensure that your have adequate network security and all servers/computers have the latest updates and security fixes applied at all times, as this significantly reduces exposure to threats originating from the internet. Actually, we strongly advise obtaining Cyber Essential Plus certification. An external specialist security company will perform advanced checks on your IT security and report the findings so you can take remedial action. Do Not let your IT company do this as there is a clear conflict of interest and they are typically not adequately skilled to do this properly, compared to a specialist security company.
Examine what data you have, who has access to this, where it's stored, how it may be replicated, and does it contain Personal Data
Reduce the risk by implementing good email, file and data housekeeping. All data not required should be deleted or archived to offline media. Apply retention policies to all of your electronic and paper documents.
Securely shred paper files which are not required.
Involve your staff as they may need to change their working processes to reduce risk
If you gather Personal Data via your website then you must review the privacy policy to make sure it is GDPR compliant or add one if you have nothing. When you gather the data you MUST have clear consent from the person providing the information that they have read the privacy policy and they agree for you to store and use their data according to this policy only. You must record this acceptance and be able to prove it if requested.
Need help with your GDPR compliance? You are not alone...most organisations need help and advice planning their GDPR compliance strategy.
We offer FREE ADVICE for all IT related matters so please contact us if you need help.
Comments