As the new year is fast approaching we are all making plans to do things better for our businesses. Our need for development and growth will make us want to:
- Communicate better
- Increase sales
- Become more digitally savvy
- Grow our customer and data base
- Enhance our networks
- Create and refine services and products
There is so much we need to plan for to make 2018 even more of a success than 2017!
But how many of us are planning and preparing for the new legislation coming in on the 25 May 2018 known as the GDPR or in its full entirety the General Data Protection Regulation?
This article will provide an overview of what the GDPR is, why it is coming into effect, and steps required to become GDPR compliant by May 2018.
What is the GDPR?
As mentioned above the GDPR ( the General Data Protection Regulation) is a new legislation replacing the DPA (the Data Protection Act 1988). The GDPR is applicable to all organisations that control and process data – personal data and sensitive personal data. From sole trader upwards, any organisation that operates within the EU or that supplies goods and services to EU states and citizens needs to be GDPR compliant from 25 May 2018.
Why the GDPR?
Data is valuable and as business owners we are encouraged to build our databases, the more data we have the more effective we will be in developing the right goods and services for your customers/clients. However data is always getting lost and compromised, from MPs leaving briefcases and devices in public spaces to the hacking of large companies and institutions computer systems. So we need to do better in protecting this valuable data.
In this day and age you can often see how people deal with your data, for example booking a car service. There is the scenario of visiting the local car garage that has no computer systems your details are written on a piece of scrap paper or notebook, which could get lost or made visible for other customers to see, this is not good practice. On the other hand, a more sophisticated car garage may allow you to book and pay for your service online. The convenience is great however if they have not developed any means of protecting your details if there website gets hacked, that too is not good practice.
With so many scenarios identifying how our data is being carelessly handled and managed on a day to day basis, the GDPR is designed to help reinforce the importance of protecting valuable data. Creating consistent guidelines and rules across the EU, the GDPR aims to address weaknesses in the organisational management of data and to help create opportunities for doing business easier.
What is Personal Data?
Personal data includes:
- Date of Birth
- National Insurance number
- Bank details
- Medical records
- Email addresses
How will the GDPR affect us?
GDPR is designed to:
- Help us understand the value of the data we hold
- Encourage us to put more emphasis on protecting our valuable data
- Enhance our organisational reputation
- Encourage better business practice leading to better opportunities
- Enforce fines if we are seen as non compliant
Steps to GDPR compliance
25 May 2018 may seem far off but it isn’t so you need to get started now!
Do your research! The independent body responsible for the GDPR is the Information Commissioner’s Office (ICO). The ICO has a wealth of information for you to learn more about the GDPR and how to become compliant. As expected there is a lot of information but it is best to be well informed!
Here are a few links to get you started:
For more information on the GDPR visit the (ICO) Information Commissioner’s Office pages on the GDPR
The Getting ready for the GDPR checklists are very useful self assessment tools created by the ICO to help you identify what you need to do to become compliant. The results and feedback will determine how much you need to do, so get started now!!
The ICO have also published a useful 12 steps guide on preparing for the GDPR https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
In a nutshell you will need to assess and update your organisation’s:
- Awareness training
You and all your stakeholders need to raise your awareness around the GDPR and how it will make general and specific impacts on your organisation. Seek professional advice and check the ICO tools but don’t be caught up in the scaremongering, yes fines are a consequence of non compliance however this is dealt with on a case by case basis. The main thing is to focus on the benefits to becoming compliant.
- Processes and Practices
Once you have more awareness of the GDPR and how it will impact your organisation start auditing your processes and policies, what do you currently have in place and what is required to be fully compliant. How do your contracts and service agreements encourage best practice with stakeholders. Think about assigning roles and responsibilities, creating risk assessments, incident reporting procedures, insurance and Business Continuity plans.
Ensure your policies are updated as required and if you need to add more policies, go ahead and do it. Policies are boring but they are a sign, to your stakeholders, of your commitment to protecting the valuable data you hold.
You will need to look at the technology you use, how are they protected, can they be infiltrated easily and most importantly who has access – user management is very important here!
The GDPR is coming and you need to be ready for it. I hope the above has proven useful and as mentioned don’t be scared around the hype of getting fined. Be proactive and work through what is required to become compliant, you still have the time to get up to speed so use your time wisely and effectively!
Happy New Year to you all.
Yejide Adeoye MBCS
Logic to Create