It’s been a few months since the GDPR deadline passed and once half the nation stopped sitting in the corner of the office breathing into paper bags we’ve sat back and thought “is what we have done enough?” In fairness it was always going to be a huge shock given that this is the first major piece of privacy / data protection legislation in the last 20 years and the first since the internet became mainstream and the data mine that it is now for companies.
Over the last 20 years more and more people have been using technology but, equally people have become blasé with their security and rights. How many times do we see a website and click “I’ve read the terms and conditions” without actually reading them? I can remember in college revealing that the parenting rights to future children had been signed away by using our program through the t&c’s, this was of course in jest, but it did prove a point that we’ve become lazy with our personal data and also with ensuring what websites and programs can/cannot do with our information.
Step in GDPR, legislation that ensures you have to opt-in to marketing, puts steps in place to help make sure data is kept secure, ensures that personal information is not simply sold on without knowledge and on the whole forces business not just to think about security and personal data but actually put safeguards in place.
As with most change, people resist and complain, but the issue is not necessarily the laws but how people have understood (or in some cases mis-understood) them. Think back 15-20 years when Health and Safety was first introduced, there were stories of schools banning conkers and warnings of “working at height” to climb 3 steps into an office. Initially people over-react and go overboard but then things settle down. The heart of H&S laws was protection of people, a need to ensure safety of workers hanging off the side of a building, a need to make sure that in a warehouse people are visible and that items are secure so they don’t fall on someone.
The same goes for GDPR, we needed companies to stop mis-using our information, we needed everyone to ensure that personal data is kept secure. Companies needed to know where the data they had was going, what it was being used for and if what they had was needed it all. There needed to be formal processes / procedures to report data breaches and dare I say, there needed to be checks to see if systems had a vulnerability or even if they had been hacked.
So, when is enough, enough? I would recommend working on the big things first;
• Review where your data is stored and protected (Data Flows and policies)
• Ensure that the you are given a Data Processing Contract from any company you are handling data for.
• Awareness of Top management and staff.
• Appoint a responsible person / Data Protection Officer. • Review what Personal Identifiable Information you have and whether consent is required etc.
• If you are a data controller you need to register your company with ICO to get a DPA number.
Getting a formalised management system in place can help focus the business and help with implementing some of these things. Standards such as ISO 27001 focus on information security management and so will heavily help with maintaining GDPR requirements, however, it should be noted that they do not cover all the requirements. At CQS, we offer a GDPR Gap Analysis by one of our GDPR Practitioners in which we review where you are in terms of compliance and what needs to be put in place, giving advice on how to implement it.