GDPR has already been in place for nearly six months and, despite a number of domesday predictions made in the lead-up to the implementation date on 25th May, most have not come to pass. This is of course welcome news for UK businesses, many of which were insufficiently prepared for the regulation when it launched.
The Information Commissioners’ Office (ICO) - the regulator responsible for GDPR - has largely taken the view that its role is to support businesses through the transition into the post-GDPR world. While its first enforcement notice has been served to AIQ - the Canadian data firm with links to Cambridge Analytica – it is yet to levy any fines under the new regime. But this doesn’t mean that companies shouldn’t be taking the regulation seriously.
The ICO’s initial hands-off approach will no doubt come to an end as soon as it works through the backlog of complaints and breach notifications that have been built up; the amount of which has shot up since May.
SMEs across all sectors should therefore be taking this opportunity to ensure their processes are completely aligned with the law or face potentially enormous fines. Luckily, there are some simple steps that can be taken and implemented relatively quickly – so all is not lost yet.
Where does work need to be done?
Most businesses appear to be conforming to GDPR, with 63 per cent claiming to be compliant. However, worryingly, this means that 37 per cent are not - so the expiration of the ICO’s ‘grace period’ should give these companies pause for thought.
When the regulator looks at cases in detail, there are bound to be numerous examples of non-compliance due to companies simply being unfamiliar with the new terrain. This may be caused by badly-designed processes, poor implementation, or even just honest mistakes. However, even ignorance of the law is no excuse and won’t be enough to avoid penalty.
Interestingly, the worst offenders for self reported non-compliance are those in the technology sector, with 42 per cent reporting that their working practices do not yet fully adhere to the regulation. Whilst these rates of self-reported non-compliance may be due to a better understanding amongst tech professionals of the requirements of GDPR - meaning they will be more critical of their organisation’s preparedness - it is still a concerning statistic.
GDPR is something that should remain a priority for these IT and technology professionals.
What needs to be done?
There are a number of steps that must be taken to come up to speed with GDPR. These include:
- Conduct practical testing and identify the processes and areas of the business that are not compliant.
- Make concrete plans to address the issues that come to light and support people in all areas of the business to deliver the resolutions.
- Familiarise people at every level of the organisation - from boardroom to basement - with the requirements of GDPR at a high level. It’s also important to demonstrate how the regulation applies to their individual roles.
- Ensure that everyone wants to be compliant and that everyone understands the potential costs to the business - ultimately to their own livelihoods - if the company is found to be lacking in any significant way. It’s also vital to provide all staff with an understanding of how their own skills can contribute to the success of a company’s GDPR strategy.
Some companies may think that responsibility for GDPR compliance lies with their IT department alone. However, this is clearly not the case. In fact, it would be almost impossible to think of a person within a company who does not handle personal data at all.
A cashier will be handling card details, they may be updating e-mail addresses and marketing lists, the finance and HR teams will be dealing with payroll, and often sensitive data about staff. Procurement have a responsibility to ensure that any third party companies are compliant – and so the list goes on.
The often-quoted maximum potential penalty for GDPR breaches, of up to €20M or 4 per cent of global group turnover (whichever is higher) therefore bares repeating because it would constitute an enterprise-threatening cost for most companies.
Help is available
There isn’t a one-size-fits-all approach to take in terms of GDPR compliance. Each company will handle personal data in different ways and for different reasons. But there are areas where technology can assist companies to do so lawfully.
A host of tools are available for all kinds of businesses to ensure that their processes and data protection protocols are compliant, and for many – especially those that do not have the resources, or would rather draft in outside help, these can be invaluable.
When it comes to GDPR, there is a benefit in keeping it simple. The beauty of the regulation is that it is principles-based; meaning there is no prescriptive list of requirements that must be satisfied in order to be considered compliant. Each business is different and each will approach the matter in a different way.
As long as the company has a good ‘story to tell’ about what the organisation is doing to be compliant they are unlikely to be sanctioned as severely in the event that the regulator does come knocking.
Telling the right story
Businesses that are lagging behind should think of their GDPR strategy as a narrative that different people at all levels, and in different departments within the business have a hand in writing.
When writing the GDPR story, different chapters will be authored by different parts of the organisation – and it may from time to time be necessary to bring in outsiders to act as editor of the document that is drafted. Each time someone steps in to add to it, or to simplify the language, or better organise its contents – this narrative will be improved.
The intended reader of the book is the ICO. They do need to be kept informed of any incident that might result in an individual’s data being compromised, or put at risk of being compromised. The regulator has observed there is a tendency toward over-reporting, on the part of businesses.
But this is actually a sensible strategy for businesses. There are no sanctions for reporting something which turned out to not be an issue, but there are for failing to report – but steps may be taken to address this in the future.
There is always a benefit in monitoring developments in the sector, and keeping an eye on the kind of practices that the ICO is moving against. It is possible to gain an understanding of any organisations priorities by monitoring its actions – the AIQ case illustrates that the ICO considers marketing activities to be of particular concern for them.
The final thing to keep in mind is that the book will never be finished; there is no point at which an organisation will be able to say: “We are now compliant and do not have to do anything”. In this way GDPR is truly the never-ending story.
Lindsey Roberts, GDPR project manager, Visualsoft
Image Credit: Visualsoft