I have been presenting on GDPR for over two years now, and in that time, it has moved from speculation about what, if and when, to where we are now, where we have many of the answers to those questions.
Let’s start at the beginning. The GDPR (General Data Protection Regulation) is the long-awaited replacement for the 1998 Data Protection Act. It works on similar principles, but is very much enhanced and strengthened, and has much tighter rules that determine what you can and can’t do with personal data. It applies to any organisation in the world that contains personally identifiable information on an EU citizen (including UK). If you think that does not include you, it does, as it even includes the staff that you employ.
On May 25th 2018 GDPR comes into force. Technically, from that point, any organisation that is either non-compliant, or has a data breach is liable to some pretty hefty fines, that in theory could take most small organisations out of business. We also know that Brexit will not change this, as our government has made it very clear that the UK will be adopting GDPR through the use of the Great Repeal Bill. OK, it may not be quite as simple as I am making out – but that is a fair summary.
As I was learning about GDPR one thing that a colleague explained stuck in my mind, and I believe it is worth sharing. GDPR shifts the ownership of personal data from the company (the data controller) to the individual (data subject). So as a business owner, think of the data, like you would any other asset that you have been given permission to use, but do not own.
When talking with small and medium size business owners, I am often asked:
What are the risks to Small & Medium Businesses?
The risks are now clearly identified in the regulation (ICO fines (up to €20m), class action lawsuits, data subject compensation, reputational damage etc) and have been written about in much detail – however, until we start seeing real examples come through the courts, small and medium business will have to take their own judgement on the impact to their organisation
Where do we start?
There is good news and bad here. The good news is that there is now some great advice about where to go and what to do to become compliant. However, the bad news is that there is also some pretty poor advice as organisations with something to sell jump on the bandwagon. Today just about every IT Security vendor will tell you how their Software can help you become compliant. All of a sudden, you could find you have spent a fortune, yet are no closer to compliancy.
The other thing to consider, is your organisations current approach to data security. Much of the GDPR regulation is simply best practice. Therefore, you will find that there are areas where you may be compliant already, or that require very little effort to become compliant. However, you won’t know until you start learning more about the regulation.
Before speaking to any Vendor, head for the ICO Website. The ICO are trying very hard to help organisations become compliant, and as a result they are producing some very good steering. I also believe that should you ever be investigated, I am sure the ICO would look more favourably on you, if you have been following their guidelines! My only word of caution is that their web site still has a lot of reference to the current Data Protection Act (DPA) as well as the incoming GDPR, so please remain vigilant and understand which you are reading about.
The ICO 12 steps to take now document – in my mind, this is the single most useful document. If you are starting from nothing, this is the best place to start. You can then broaden your reading from there (if nothing else, if gives you a lot of terminology that you can then search the web for).
If you want to start looking at alternative GDPR commentary, then some of the law firms have great blogs. For example, the Fieldfisher blog provides excellent in-depth analysis and opinion on some of the more intricate details of the new regulation.
Seminars, webinars, and workshops are a great way to educate. However, pick carefully. GDPR is complex, and subject to interpretation. I have attended seminars where the presenter has had limited knowledge, and the quality of advice has been below standard. At 5th Utility we offer an interactive workshop where we tailor it to the people in the room, and your existing level of knowledge.
Back to the Vendors – they have been writing some great documentation on GDPR, but be careful to consider that they will frequently be trying to steer you towards viewing the problem in a way their solution can resolve. However, One of the Vendor GDPR Overview documents I really like is from Skyhigh Networks, in their ‘An Action Guide for IT’ which can be downloaded here.
Now you have done some reading, it is essential to create a baseline of where you are today. There are different ways to do this, but I often start this by breaking out the business into People (education), Process and Technology.
- Do my people understand the requirements?
- Do I have the processes in place to be compliant?
- Is my technology set up to ensure compliancy?
I then break these down into much finer detail, identifying the GAP between where the organisation is today, and where it needs to get to. I then apply a ‘Priority, Cost and Time’ estimate to each area identified (sometimes using the ‘known unknowns’ model to identify risk)
Making a Plan and taking action
With the prioritised list in hand, the last step before taking action is to assign responsibility, and a schedule. This process will also help you to determine where you may require outside assistance.
Lastly – do not forget to document actions and progress. As well as a good way to demonstrate to the ICO and your board that you have been taking your responsibility seriously, it also helps you and your organisation to appreciate progress, and continue to evolve your plan. GDPR is not a ‘One Time’ certification. An ongoing position of compliance is required, and documenting progress will help ensure you maintain that position.
If you have questions about this blog, or would like to talk to us about our range of GDPR services, please email us at firstname.lastname@example.org