A Series Of Unfortunate GDPR Events – Part 1
Do I really need to be GDPR compliant?
The short answer is YES!, the long answer is YYEEEESSSSSSS!!!
Every business in the UK will be affected by GDPR (general data protection regulation) in one way or another, but bare in mind that GDPR is simply an extension of the outdated Data Protection Act 1998, with heavier fines and more powers for regulatory bodies to take action.
The focus of GDPR is to protect the data that is held about any EU citizen, by 25th May 2018 businesses must comply, yes there are those that say we are leaving the EU so it will not apply, wrong! The UK Information Commissioners Office (ICO) has already stated that GDPR will form the basis of UK law once we leave the EU, and has already been incorporated into the data protection bill, which is currently making its way through parliament.
The non-compliance and breach fines are increasing from £500,000 up to €20million or 4%of global turnover, whichever is greater. However, the fine greatly depends on how much evidence of compliance you can provide.
The data that GDPR covers starts from simple things such as a person’s name and address up to what it defines as sensitive data, like health conditions and religious views. So, you can see that if you hold a person’s name then GDPR will apply to you, this includes past and present employees as well as suppliers, it becomes virtually impossible to escape the scope of GDPR.
Over the next few blogs we will outline a few of the points that GDPR raises and give a few helpful hints to be compliant, while at the same time helping you with your bank balance, sadly for most your compliance will require some investment, the only exception is those that already have the appropriate level of security and equipment.
First, we will be looking at some of the most important risk management aspects of GDPR for small businesses.
So, have you taken a step back and looked at your business from the outside yet? To be prepared for GDPR you will need to think like a criminal for a minute, take a good look at your business and identify the security risks, you will need to document all of these and put plans in place to manage all the identifiable risks. I.e.: if you work from home, do you leave the door unlocked while you are working? Sadly, this is not Canada and leaving your door unlocked is a risk that must be identified and managed. Try not to just think physical, think digital as well. We will cover more of the digital side soon.
The ICO advise you to have an Information Security Policy, this ensures that all employees have a clear set of guidelines of what can and cannot be done with your data. It is a good idea to include a set of responsibilities within the policy, you should then know who is responsible for what.
A very big risk to any small business and GDPR compliance is through third party suppliers, as most of us use a network of suppliers to provide a quality product or service, you will need to make sure that all of your suppliers are compliant, it is a very good idea to have written agreements between you, this ensures that you have a clear understanding over who has what responsibility for the security of the data, in the event of a data breach it is very important that your supplier notifies you, you can then identify the information they hold and inform the ICO as appropriate. If your supplier refuses to be GDPR compliant by the deadline and if negotiations to become compliant are not successful the only course of action is to stop using them as a supplier, it could cost you your business.
If you have staff working for you then you need to make sure they receive regular training on security awareness, they should know what to look out for and how to report a suspected breach to the appropriate person. Equally, if you are a single person business you must know what to look out for, staff are one of the single biggest risks to your data security, you need to be aware of this and do everything you can to educate them.
In the next blog, we will cover some of the physical and digital security measures that you will need to be aware of.