Words Victoria Brown, High Performance Consultancy
In a recent survey conducted by Downtown in Business an astonishing 77.8% of businesses reported that they are GDPR ready……. really? We have been partnering over the last few months with DIB and some leading IT providers to conduct roundtable events within Liverpool, Manchester and Birmingham, to provide some guidance and support to businesses to prepare them for GDPR. It would appear that many businesses that have attended these sessions have been unaware of their responsibilities and what practical steps they need to take before 25th May 2018. Here are a couple of the comments I have heard from clients and the business community;
I have GDPR covered…. It is with my IT provider
Whilst the General Data Protection Regulations will address the significant changes in technology since the Data Protection Act 1998, the considerations do not just stop with your IT provider. A thorough understanding of how your business deals with data is paramount. Knowing where data is stored, that location’s security, as well as determining whether the data is being shared will be critical, come May 2018. I would recommend that companies undertake a data audit.
I outsource everything, so my third party providers are liable for sorting out GDPR
This is not the case. Companies will need to establish the external bodies that hold or process data on their behalf and what steps they are taking to comply with GDPR.
I don’t need to start looking at this until 25th May
Absolutely not – you need to be ready by 25th May, not thinking about it.
In 2016, the EU adopted the General Data Protection Regulation. It replaces the 1995 Data Protection Directive which was adopted at a time when the internet was in its infancy. Member states of the EU have been given two years to ensure that they are fully implementable in their countries by May 2018.
Do I need to worry about this now, as we are leaving the EU?
The Queen’s speech in June 2017 confirmed that the GDPR will form part of UK law following the withdrawal from the EU.
My business does not need to comply with GDPR as I do not store or process any personal information.
I have heard this comment so many times over the last 12 months. It is also a point that is made internally by some departments. There is a general misunderstanding of what constitutes personal data. The regulations state that any company that stores or process personal information about EU citizens must comply with the GDPR. This effectively means every business with at least 1 employee or those who keep records of their customers will be required to comply with the GDPR.
I would strongly urge all businesses to nominate a data protection officer/privacy manager (whichever is appropriate) and ensure that they are ready by 25th May 2018. This is a great opportunity for business owners to get their housekeeping in order. It is also something that should not stop on 25th May and each business needs to consider how they will monitor data handling and address breaches in the correct way. The fines from the ICO (Information Commissioners Office) could be quite high if you have neglected the way in which you store or process data.
In addition, it is evident from our recent roundtable sessions, the DIB poll and just general feedback from our clients that raising awareness and training is very important. I would strongly advise that the changes you make are covered within your policies and induction process. For existing staff, good communication and briefing sessions about the changes will reduce your future risk of breaches.
We have a practical guide available to download for all DIB members, please contact Daniel@highperformanceconsultancy.com
To register your interest for our next DIB Power panel on GDPR/Cyber security contact Daniel@highperformanceconsultancy.com