By Julian Roberts – Chief Executive Officer, EssentialSkillz Ltd
“The new Data Protection Bill will give us one of the most robust, yet dynamic, set of data laws in the world,” said Matt Hancock, UK Digital Minister in announcing the UK Government’s response to the EU General Data Protection Regulation (GDPR).
We have been living in a world where our data moves seamlessly and without our knowledge from one business to another. Marketing teams buy data lists, they upload them to online automated email systems, integrate them with their customer relationship management (CRM) systems and create call lists for telesales teams. All the while, we as consumers or businesses have no idea that our data is being bought, sold and targeted by sales and marketing teams across the EU.
All this data is held on countless systems, accessed by swathes of giddy sales and marketing teams, all trying to work out how they can gain the greatest commercial benefit from their data investment. Then came the announcement of the new European General Data Protection Regulations (GDPR).
So, what happens now? The rules of the game are changing and that means our behaviour and systems need to change to stay in line, or face the consequences. And the consequences are severe. How many data lists do you have squirrelled away in your organisation? How much personal data is being held and is it being held securely? Do you have a process to show an individual what data you hold on them and if necessary, can you delete that data?
Designed as a counterweight for consumers against the increasing power of the internet giants, such as Google, Facebook and Amazon, the new GDPR is the topic that is resonating across boardroom tables and rightly so.
Fines for non-compliance
Possibly it’s the fines for non-compliance set at four per cent of global turnover or €20million (whichever is the greater) that means keen minds are working hard to avoid failures that could easily spell the beginning of the end both reputationally and financially for even a large, established organisation.
Perhaps the biggest threat for most organisations from GDPR is not in the headline four per cent fines for blatant non-compliance, but the two per cent or €10million fines that can be levied for less serious failures, including the failure to keep an up-to-date audit trail of your assurance policies and procedures. We all know creating them is one thing, but proving they have been read, understood and signed off across the business is quite another.
To put it all in perspective, fines levied by the Information Commissioner’s Office against UK businesses in 2016 would have been £69million and not £880,500 had GDPR been in place, according to analysis by NCC Group. A sobering thought. As a business, you may already be feeling the initial impact of GDPR.
I know we are in our business. The most visible sign is the weekly influx of supplier questionnaires that began with our larger clients but has increased to encompass nearly every organisation we are working with.
Tick the compliance boxes
Any reputable organisation will have recognised the need to get in line with the forthcoming legislation and should be doing their best to tick the main compliance boxes and show that they are not in breach of the main tenets of the legislation in time for May 2018. The threat of a four per cent fine of global turnover appears to have had the desired effect of focussing both time and resources on the issue.
But for those who have not yet started the process, the big question is, where do you start? It’s like being presented with a bag of knotted wool and being asked to unravel it. You have to start somewhere. But where?
Each organisation may face different priorities, depending on the sector you are in, but a good starting point is your data storage. Do you know where all your data is stored and, critically, who has access to it? Look at all departments across your organisation and assess the data that is stored across the systems used in those departments. Then, look at who has access to it and whether they should have access to it.
Get everyone on board. This is a team effort. Your process may be led by your Data Protection Officer (if you are required to appoint one under GDPR), but the whole organisation has to work together to ensure that new policies are adhered to and changes to working practices and systems are executed and maintained. It is also important to train all staff so they understand the importance of complying with GDPR and how their role is affected.
Part of the process of getting everyone on the same page is ensuring good data governance, which includes a change in working practices and mindsets. No more random spreadsheets sat on laptops that could be left on a train. Look at the security of your data, remove potential data breach holes and put systems and processes in place that ensure data is only stored where you want it to be and that it is secure at all times.
And once you have jumped the final hurdle and relax in your comfy chair with the cosy air of confidence in your compliance, don’t be complacent. GDPR is an ongoing process and must be maintained. Remind staff with re-training, have regular meetings to ensure policies and procedures are being followed and assess new systems and suppliers so they don’t trip you up.
About the Author: