Here’s how most articles about GDPR start …
“Have you heard of GDPR? Do you know that it’s coming into force soon? Did you know that if your business falls foul of GDPR it could face hefty fines?”
No doubt you’ve come across many articles, blog posts, videos, webinars and workshops about GDPR, and some of them may have been useful. However, too much information floating around the web at the moment is designed to scare businesses into buying products and services they may not need; or attend talks and training that are a thinly-veiled sales pitch rather than a chance to learn something new.
What businesses don’t need is to be scared into action, or to spend time and money doing more than they need to ensure compliance with this legislation.
For most organisations, they should already have data safeguards and processes in place that are compliant with the Data Protection Act. You shouldn’t need to do much more to be compliant with the General Data Protection Regulation (GDPR).
GDPR comes into force on May 25. It is actually just an update to existing legislation. Fines for data breaches are larger than under the Data Protection Act, and the ambulance chasers out there have been quick to use this threat to drive business.
The first myth to debunk is about the fines.
Firstly, many articles on GDPR leave readers with the impression that if their business has a data breach, they will be subject to these large fines. Not true. Fines only kick in if the business can be shown to be non-compliant with GDPR – having experienced a data breach – if you are GDPR compliant there’s nothing to worry about (apart from dealing with the fallout of a data breach, which can be a lot more significant than a fine from the regulator).
The threat of fines is one of the main ways the GDPR-micro industry has been encouraging companies to take action – and buy their services or products.
However, fines in reality aren’t what you should be worried about. It can take years after a data breach for a fine to have an impact; having appealed, gone to court and paid. The real impact is reputational damage, loss of market share, your share price dropping, and the cost of repairing customer relationships. It is far better to get your house in order, review your data and ensure you’re compliant, than worry about the potential impact of fines.
Secondly, many businesses and organisations are under the impression that their data processing systems require a complete overhaul. Yet that is highly unlikely unless you’ve been ignoring the Data Protection Act and have no systems and data security measures in place. Yes, GDPR is designed to give personal data more protection, but your business should already be doing much of this anyway. The changes aren’t so extensive that you need to do anything drastic, such as delete your entire customer database.
Time for a GDPR self-assessment
Before you worry that immediate action needs to be taken, or that you’ve missed the chance to do anything, take a look at the Information Commission Officer’s website. The ICO is responsible for regulation and compliance of GDPR in the UK. On the website is a Guide to the General Data Protection Regulation (GDPR) and a self-assessment checklist for anyone responsible for handling and managing data. The ICO has also published several myth-busting blogs that are worth reading as well as FAQs for a wide range of sectors.
The ICO, and anyone approaching GDPR with a sensible head, don’t want companies panicking. Only those in the GDPR micro-industry are trying to create enough panic to generate business for themselves.
IT security and data protection
Hundreds of companies across the country, from those in IT and IT security, to training and law firms are offering a wide range of GDPR-related services. For the majority of organisations, anything beyond a review of current practices – and improvements as needed (which you should be able to do internally) – is unnecessary. You just need to keep on doing what you were doing under the Data Protection Act.
Information security firms have been busy promoting their services. Here is what they can and can’t do:
- Find and collate all of your data. If you don’t know where it is, chances are an IT security firm or consultant won’t find it either
- Identify the origins of the data. Do you know if you obtained a data subject’s consent for the data? If you don’t know, then this is also something that a security consultant can’t help with either
- IT security consultants can’t provide a complete GDPR solution. Processes and systems, and those responsible are meant to be internal, not external
Once you’ve got your data tidied up, made sure you are compliant, and know who’s responsible going forward, IT security companies, can help with the following:
- Ensure you have the systems in place to identify if a breach is taking place
- Report any breaches to the ICO
- Proactively work to secure your systems so that you reduce the risk of suffering a data breach in the future