At this time of year, it is customary to set a new year resolution. Normally something along the lines of “I will eat less and exercise more” in an effort to shift some of the extra pounds accumulated during the festivities. With a resolution like this, the aim is to have that “beach ready body” you always tell yourself you COULD have, in time for your summer holidays. With all the best intentions, these things often slip.
If you are in business, your new year resolution for 2018, observes Chris Hunter, should be “get my organisation in shape for GDPR,” with the aim to have your business ready for when GDPR kicks in properly from 25th May 2018. You know what GDPR is, right?
You will no doubt have seen the acronym GDPR more and more towards the back end of 2017 but perhaps didn’t know what it was, or how it might affect your business. I will guarantee that once GDPR is on your radar, you will start seeing those four little letters more and more… everywhere you turn, certainly on Linkedin, Twitter and in the business press. If you were NOT previously aware of GDPR or the General Data Protection Regulation (to give it its proper name), you should make yourself familiar with it NOW.
TWO YEARS… and only five months of it left
In 2016, the Information Commissioners Office (ICO) gave businesses two years to get ready GDPR. In five months time (25th May 2018) that two year lead in will be over, and GDPR will become law and enforceable. It marks the biggest change in Data Privacy laws in 20 years. These changes are actually long overdue. Much of what the GDPR requires is based on things you should already be doing, but you should take some time to check if you are following the current regulations around Data Privacy and also Electronic Communications.
If you think back to 1998, we didn’t really spend all that much time online, certainly not compared to how much we do today. Virtually everything we log into nowadays has a social media logon option (where your profile openly provides a lot of information whether you are aware or not). If no social option is offered, then logins and sign ups will certainly ask for a username, password (as a minimum), maybe your gender, age, postcode, perhaps even your inside leg measurement…. this is all personal information which can be used to build up a profile of us. Providing information of this nature of our own free will is one thing, but it being taken without our consent, or being used in ways we did not intend it to be, is another.
GDPR is basically harmonising laws across the EU about how data is collected, stored, used and processed. It will give more rights to the “data subject” ie a “living” or “natural person” to be able to ask organisations what information they hold on them. It will require organisations to be Transparent and Accountable. If you run a business that holds personal data., this means that you will need to have procedures and policies documented to be able to deal with this. GDPR will put in place tighter rules so that if data is misused or leaked (because the proper security measures were not in place to safeguard information), the parties responsible for its misuse will be held accountable. In turn, this could lead to action being taken and even some rather serious fines: Up to £17m or 4% of global turnover (whichever is higher) depending on the severity of the situation in hand.
If you hold or process personal data and you have not yet started planning – don’t worry, you are not alone, many businesses are in the same boat. There is a lot of help and support available if you know who to ask and where to look.
A recent survey showed that the UK businesses who are on the ball, have spent around 600 hours on researching and preparing for GDPR. Assuming that was one person in a business, that is around 75 solid days, or 15 working weeks, if you work on the basis of an 8 hour day. As an SME, we know first hand how much work goes into it. Typical GDPR readiness preparations can take between 3 and 18 months. How long did I say we had until May 25th again?
Before investing any money into your GDPR readiness, the first thing you need to invest is your time to get the buy in of the people you work with. Ignorance is not bliss. You need to ensure you know what the law requires of you if you hold or process personal data. This isn’t just customer data either, it includes information you hold about current/ex staff too. It is also important that you understand that GDPR is not just digital data – it includes paper records, cctv footage… in fact any medium where the information held can be used to personally identify someone.
DON’T BE AN OSTRICH
There are still plenty of businesses burying their heads in the sand. Out of around 5.5 million registered UK businesses, 2.1 million are yet to start planning for GDPR. To add to that, only around 400k of UK business are registered with the ICO. With five months left, there is still time to act, and with the right support, you can be well on your way by May 2018.
Contrary to popular belief, this is nothing like the Y2K millenium bug. It won’t come and go on 25th May. That is the date when the new regulations become law. Businesses ask us who can possibly police this, with so many businesses in the UK… the public will most likely be the ones reporting incidents, if their information ends up in the wrong hands and notice fraudulent activity, or they start getting marketing from places they have never given permission to.
HM Network has been running a number of GDPR awareness sessions called GDPRexpress to help Lancashire business get up to speed. A couple of subjects that keep getting mentioned are not knowing where to seek help, or how to judge if privacy impact assessments / data protection executive assessments are worth the investment. The reality is everyone’s businesses are different and therefore the support needed will differ too.
Many micro businesses and SMEs are getting confused about where to start, they are understandably wary about spending any money – especially if it is hundreds, thousands, even tens of thousands of pounds on audits/assessments that they have not had before. Be wary – there are a lot of opportunists out there. Some businesses will probably need to invest quite heavily. Others might just need some guidance or a hand with a few areas here and there. This was at the forefront of our minds when we started our GDPRexpress events in June. We wanted to stage FREE sessions and share real world experiences from a business going through our own GDPR preparations.
We wanted to bring in a variety of specialist support options to talk to organisations in Lancashire and help businesses get an idea on how to tackle GDPR related tasks. Especially if the knowledge was not readily available in house. We had an aim to HELP people, not scare people, no matter how large or small and no matter what they do. If businesses then wanted to engage with additional support available, they had an idea of what they should be looking for and what was available.
We hear a lot of people asking why all this new Data Protection stuff has come out of nowhere all of a sudden. The reality is that the DPA (Data Protection Act 1998 ) and PECR (Privacy of Electronic Communication Regulation 2003 ) have been around for over 15 years so businesses who hold personal data and especially businesses who market electronically should always have been adhering to them.
So, if you are at a standing start, which we suspect some of you are, here are some basic pointers to help you. Please be aware that this is simply a start. There is no magic wand that will make you compliant, you will need to work on these, do what you can in house, but we recommend you DO get professional help where needed. Just ask, we can point you in the direction of lots of support mechanisms.
1 RAISE AWARENESS
Make sure the key people in your business are aware of what is happening with regards to GDPR.
Start here https://ico.org.uk/ get the buy in from ALL the people you work with. Everyone is in this together. There are plenty of free events like our #GDPRexpress events offering high level overviews as well as more in depth sessions which you might need to pay for. In addition, there are people willing to offer you help and initial consultations without it breaking the bank. Be wary of anyone trying to charge you an arm and a leg, before they will even talk to you about your needs. If you need help, we can provide support.
2 ASSESS WHAT YOU HOLD + PLAN
You will need to document what personal data you hold, including what you have, who you share it with, where it came from and why you have it. You might need to have an audit carried out, so that you can then plan what steps to take next and especially prioritise what to do next and when you aim to have it done by. Having an action plan can make a lot of difference if you have a knock at the door from the ICO.
3 PRIVACY INFORMATION
As a business, you will need to communicate your legal basis for processing the information you hold, plus you will need to advise what your data retention policies are. The people whose information you hold have a right to complain. You should also list the contact details of the person or department who will deal with these matters. Even if you do not need to legally appoint a Data Protection Officer, you will need to have a go to person or team who will lead your programme.
4 INDIVIDUALS RIGHT
The rights for individuals under GDPR are primarily:
• Subject access
• Ability to correct inaccurate information
• The right to erasure
• To prevent direct marketing,
• To prevent profiling and automatic decision making
• Data portability.
• Respect peoples rights.
5 SUBJECT ACCESS REQUESTS
You will need to put procedures in place that explain how you will handle Subject Access Requests (when someone asks you to provide info you hold on them). From May 25th, you will need to do this at no cost to the individual and must do so within the new timescale of 30 days, compared to the current 40 days.
6 THE LEGAL BASIS FOR PROCESSING
You should look into the various types of data processing that you carry out and document the legal basis for doing so. Consent is just one of them… look into the others too.
7 TRAIN STAFF
Changing cultures, educating staff and being able to evidence you have provided training is essential. There are lots of ways staff can be trained on subjects like data protection and cyber-security. A lot of it is common sense, but being able to document who has had what training, when, and what was covered is vital. Again this does not need to cost the earth. We can point you in the direction of a variety of really cost effective options suitable for sole traders right up to multinational organisations.
8 ASSESS YOUR SYSTEMS
Check that the systems you operate are secure and compliant. Reduce the risk of a breach etc… Boomerang video has a website hacked in 2014 and approx 26,000 customer records were leaked. Unfortunately they faced a penalty of £60,000 as a result. Don’t be fooled into thinking potential fines will only start from May 2018, correctional measure and financial penalties are being issued
all the time.
9 REVIEW REGULARLY
Like the shampoo bottles say – lather rinse repeat. Just washing your hair once does not keep your hair clean forever. You need to keep on top of it The same goes for GDPR, Data Privacy and Cyber Awareness. 25th May 2018 will not be a box ticking exercise. The steps above and plenty more will need to become part of your working routines moving forward.
Plan, assess and review.
10 TALK TO SOMEONE WHEN NEEDED
If you have questions, seek advice. Talk to other businesses to see what help they have had, or how others are tackling GDPR. We run all sorts of sessions from regular CONNECTIVITY CLINICs, and GDPRexpress events, right up to in depth training , where businesses can get together with others and talk through scenarios and get help from professional trainers.
GDPR is actually a good thing. It will set the bar for standards in a similar way to food safety standards. If you had a choice of two restaurants offering the same meal at the same price, but one had 1 star,and the other had 5 stars – which do you think would have the best food hygiene? Use GDPR to gain competitive advantage and show the people whose data you hold, how you value their privacy. It could set you and your competition apart.
If in doubt seek advice. We can always provide help and put you in touch with a variety of support mechanisms if anyone has any questions. Big businesses have teams and budgets to address things like this, smaller businesses need people to talk to and a “virtual board” to seek support from. We can help provide that support. A chat will cost you nothing, feel free to call.
If you have any questions about Data Protection, Cyber Security,Training or need help with your own GDPR preparations, contact Chris at HM Network
info@firstname.lastname@example.org 03333 444 190