Now would be a good time to have a conversation about GDPR
How’s those GDPR conversations going? Assuming of course you have had some. If you haven’t then don’t worry you are not alone as there seems to be increasing confusion about this legislation.
I read on the website Information Age last week, and posted it to the National Cyber Skills Centre social media feeds, that 1 in 4 businesses have cancelled preparations for GDPR. Also, that a huge 44% of those surveyed think that due to Brexit this EU legislation no longer applies. Sadly, that belief is wrong as the UK Government has stated that this legislation will be adopted and it comes into force in May 2018, so a little over a year from now.
But what does GDPR actually mean?
To tell you the truth, I’m not 100% sure myself. I’ve taken a good look at the dedicated area of the Information Commissioners Office (ICO) website and read what Wikipedia has to say about it and Googled it all to my hearts content. There seems to be a lot of it and a lot to talk about.
The first headline that jumped out at me was with regard to mandatory breach notification. The ICO define a data breach as “A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.”
They then cite the example of a hospital could be responsible for a personal data breach if a patient’s health record is inappropriately accessed due to a lack of appropriate internal controls.
If that happens then it must be reported to the relevant supervisory authority within 72 hours of the organisation becoming aware of it. That in itself is going to change process and procedures throughout businesses and organisations in the UK.
The other headline that demands further conversation regards the fines that maybe levied in the event of non-compliance. To date the ICO has been able to fine organisations for data protection violations up to a maximum of £500,000. That may sound a lot to many of us, but it’s about to look tiny in comparison to what GDPR has in its armoury.
Fines can now hit the eye watering and pocket emptying levels will of up to €20,000,000 or up to 4% of the annual worldwide turnover of the preceding financial year whichever is greater.
So let’s just put those two points together. You’ve had a breach, you have to tell them and then they can fine you! And all from May 2018.It makes me wonder what conversations have taken place inside organisations that came to the decision to cancel GDPR preparations. Didn’t they do a quick check on Google, or even a 5 min chat to their legal counsel?
Maybe an easier conversation would be, like me, to admit that they are unsure and need some training or at least some research into GDPR and how it’s more than likely going to affect each and every part of their business, their supply chain and their customers.
There is a lot more to GDPR as I am discovering above and beyond the couple of points that I’ve mentioned here. There are new rules on data processing, on new roles that organisations may need – a Data Protection Officer – rules on accountability, on consent, on data portability and much, much more. There is in fact an awful lot to discuss, debate, detail and implement in and ever shrinking period of time.
In those 1 in 4 businesses who have cancelled their preparations for GDPR I wonder what conversation they would prefer, the one about going on training and taking some action – once they’ve accepted that Brexit has no effect on this legislation, or the conversation about how they are going to afford to shell out up to 4% of their annual worldwide turnover at some point next year?
Hopefully I’ll see some of you in the classroom next week!