The media has gone into a GDPR frenzy now that we’re less than 100 days away from the May deadline. But is all the fuss necessary? Shouldn’t most organisations already be taking data protection seriously?
In our last blog on GDPR, we explored what the changes would mean, in our newest blog we discuss what you should be doing right now, what you shouldn’t be panicking about, and a few things to pay caution to.
The General Data Protection Regulation (GDPR) is big news because data protection laws haven’t changed that much since their inception in 1995, despite the way we use the internet dramatically changing in that period.
In 2018, people are a lot more concerned about how their private details are used and stored, which is why GDPR will be replacing the 23-year-old directive.
When GDPR becomes enforceable this May, any business processing or controlling data in the EU must comply – not doing so could land them with a fine of up to €20m or 4% of their annual revenue, whichever is higher.
Yes, that sounds very scary, but most organisations processing personal information are already required to comply with the 1995 data protection act. This means that most businesses should already have most of the infrastructure to handle GDPR is in place.
Keep Calm and Carry On
Back in December, Information Commissioner Elizabeth Denham went to some length to reassure businesses that already had the GDPR wheels in motion, “that there’s no need for a Y2K level of fear”. She goes on to quash some of the myths that have been floating around, such as, those that don’t comply will immediately be given huge fines and made an example of.
The commissioner did however, confirm “that there will be no ‘grace’ period – there has been two years to prepare and we will be regulating from this date.”
The Information Commissioners Office (ICO) see GDPR as a very evolutionary process, there is no need to throw out everything that you are currently doing, but instead, build on and improve your current processes.
What Should You Be Doing Right Now?
That isn’t to say you shouldn’t be doing anything…you should be building on what you already have in place and looking at what needs to be done. Here are some key points from the ICO, that you should be considering already:
- Organisational commitment – Preparation and compliance must be cross-organisational, starting with a commitment at board level. There needs to be a culture of transparency and accountability as to how you use personal data – recognising that the public has a right to know what’s happening with their information.
- Understand the information you have – document what personal data you hold, where it came from and who you share it with. This will involve reviewing your contracts with third party processors to ensure they’re fit for GDPR.
- Implement accountability measures – including appointing a data protection officer if necessary, considering lawful bases, reviewing privacy notices, designing and testing a data breach incident procedure that works for you and thinking about what new projects in the coming year could need a Data Protection Impact Assessment.
- Ensure appropriate security – you’ll need continual rigour in identifying and taking appropriate steps to address security vulnerabilities and cyber risks
- Train Staff – Staff are your best defence and greatest potential weakness – regular and refresher training is a must
If you haven’t started putting anything in place yet, the Preparing for the General Data Protection Regulation (GDPR) guide from the ICO is a really useful programme with 12 steps to get you on your way to compliance.
What to Watch Out For
One of the biggest threats to business is predatory salespeople taking advantage of panicked business owners and selling off the shelf ‘GDPR solutions’, or certifications. No such certification exists – you can’t comply with a law which doesn’t yet exist.
If you lack the resource in-house to deal with some of the IT related tasks in your GDPR preparations, then speak to a reputable third-party and seek guidance, but don’t take up offers of compliance certificates and the like.
Another concern for business owners is cyber-criminals taking advantage of them. As reported in ComputerWeekly.com, cyber-criminals could concentrate on targeted, strategic, money-making attacks – using GDPR fines as leverage to extort money from organisations.
It is thought that these criminals could hold business owners to ransom over their data. This would be done by trying to force CEO’s to pay a smaller penalty to the hacker, rather than face the fines associated with a major data breach. There hasn’t been any evidence to support that this will happen – it’s worth keeping in mind though!
IT Support and GDPR
As experts in this field, Bandicoot understands what our clients need to do in order be 100% compliant with the new GDPR regulations, so if you’d like to speak to someone who can help steer your business in the right direction, get in touch with us today.
We provide full IT support services, and design and build websites for businesses in Burnley, Lancashire and across the North West. Whether it’s help with your systems or giving you an online presence, we can help.