With only a matter of days until GDPR is introduced, there appears to be a mass panic taking place… and to make matters worse, a lot of this panic has been unnecessarily blown out of proportion. Fear mongering has taken charge, whether it be by means of buying new technology or with the idea of non-compliant companies being penalised, when the actual focus should be on the culture of your providers (as opposed to the technology they use).
Many businesses in the IT support and software development industry seem to be using GDPR as some sort of millennium bug opportunity, with regards to 25 May as though it were THE deadline. Worst still many outside the industry seem to be jumping on the GDPR bandwagon focusing on the potential fines to fan the hysteria.
Unfortunately, there seems to be a desperate shortage of voices keeping GDPR in perspective, particularly for SME’s, which is why with the deadline looming, we’re here to help. And in relation to this month’s ICO newsletter and “don’t panic” message, we also want to help get a more balanced message across.
GDPR: The Cause of Fear, Uncertainty and Doubt
At Rio IT, we frequently get asked about the General Data Protection Regulation (GDPR) and whilst we’re always happy to try and field the questions, what is often not fully understood is that whilst much of GDPR is about data, it is not something that can be solved with the aid of technology. It is as much more about the ethos within an organisation, and an education for all staff about the implications around using and storing data.
In our view the ICO themselves are very good at setting out what GDPR is all about and debunking some of the common misconceptions that in various instances are deliberately being peddled. You can see their very helpful guide on the matter here. Their checklist highlights 12 steps you can take now to prepare for the General Data Protection Regulation (GDPR), which will apply from 25 May 2018.
In fact, we have sent the ICO link to several of our clients and they have found it to be extremely helpful, in some instances they then get back to us with some specific things that we can implement concerning how their data is being processed. The critical thing is that this is seen in a wider context of their own understanding, rather than in the fear created by others with their own vested interests.
Wise Words from the ICO…
Helping us to steer away from the current fear, uncertainty and doubt of GDPR, consider these wise words from the Information Commissioner’s Office (ICO) themselves regarding GDPR compliance;
“To small and micro businesses, clubs and associations who are not quite there, I say… don’t panic! As the new ICO Regulatory Action Policy, out for consultation very shortly, sets out, we pride ourselves on being a fair and proportionate regulator. That will continue under the GDPR. 25 May is not the end of anything, it is the beginning…”
Common GDPR Concerns Amongst Businesses
The questions we get asked by our customers vary from business to business, but broadly they are about the same principles:
- What data do you have?
- Who has access to it?
- How do you protect it?
Generally, if an organisation can answer these questions effectively then they pretty much have GDPR covered.
GDPR’s Originality; Where the Importance Actually Lies…
The GDPR’s originality is it’s push towards accountability through practical compliance requirements, making this the ideal start to your GDPR journey. It sets the bar high for consent, so it’s important to check your processes and records to be sure existing consents meet the GDPR standard, if they do, there is no need to obtain additional consent.
It’s equally important that all staff within your organisation are educated and aware regarding the new GDPR law and implications around using and storing data.
Setting the groundwork for compliance is crucial; from building a practical governance structure and creating an inclusive framework of internal policies to appointing a no-nonsense, logical Data Protection Officer (DPO).
Looking at more specific actions, revising privacy notices and data processing agreements should also be a priority, but additionally, it’s essential to invest time in developing a workable system for data protection impact assessments.
Preparing for cybersecurity breaches and authenticating data transfers are just a small part of the GDPR battle but equally, are now of the essence. If you’d like to gain more information concerning how we work to keep your data safe, please get in touch with our friendly team today.