GDPR Fact & FakeBy bluezone 27th March 2018 by bluezone
With 73% of businesses saying they are not even close to being GDPR ready, are you prepared for the transition or aware of the implications of non-compliance?
Read our guide below on the main reasons you should be looking at GDPR.
Do you fall into one of the categories below?
“Help! I don’t want to be fined €20 million, GDPR is a huge challenge – how can we deal with this as well as everything else?”
“The GDPR threat is just hype, I don’t know what the fuss is about.”
These are comments from some of our clients and while they are extremes, GDPR requires some thought and planning.
It is true, there is a lot of hype and misinformation about the forthcoming enforcement of GDPR (General Data Protection Regulations) which make it difficult to narrow down your responsibilities, so..
..what is fact and what is fake?
GDPR is something to be taken seriously but with reasonable steps and some forward planning, like most things in life, it can be managed and fines for infringements avoided.
What does GDPR stand for?
The General Data Protection Regulation (GDPR)
What does it mean for organstations?
GDPR significantly increases the obligations and responsibilities for organisations collection, use and protection of personal data.
At the centre of the new law is the requirement for organisations and businesses to be fully transparent about how they are using and safeguarding personal data, and to be able to demonstrate accountability for their data processing activities.
With recent breaches in the media at present, data protection is very much in focus and individuals now have more rights than ever before surrounding their personal data. Questions will come up and your staff will need to have the answers.
If you are complying with the current law then most of your approach to GDPR compliance will remain valid and can be starting point to build from. There are things you will need to step up as GDPR will change the way your organisation can collect, use and transfer personal data.
Fail to prepare
It is essential to plan your approach to GDPR compliance now and to gain ‘buy in’ from key people in your organisation. Personnel within your organisation should be are aware that the law is changing to the GDPR, and start to factor this into their future planning. They should start to identify areas that could cause compliance problems under the GDPR, you may need, for example, to put new procedures in place to deal with the GDPR’s new transparency and individuals’ rights provisions.
How much will it cost?
There may be IT, personnel, governance and communications implications, which does mean budget will need to be assigned to GDPR, especially in larger firms. The measures you take and the costs associated with them, should be in line with the importance of personal data that you deal with and the size of your firm, as under GDPR you are required to take reasonable steps to protect personal data.
It’s recognised that small businesses have fewer resources and pose less of a risk to data protection, so there may be more leniency by the ICO/Data Commissioner in relation to any non-compliance but that does not make you exempt.
There are two levels of fines based on the GDPR.
The first is up to €10 million or 2% of the company’s global annual turnover of the previous financial year, whichever is higher.
The second is up to €20 million or 4% of the company’s global annual turnover of the previous financial year, whichever is higher.
The potential fines are substantial and a good reason for companies to ensure compliance with the regulation.
Fines for infringements will be considered on a case-by-case basis and will take a number of criteria into consideration, such as the intentional nature of the infringement, how many subjects were affected and any previous infringements by the controller (you) or processor (third party).
Separate to these fines and penalties, individuals will have the right to claim compensation for any damage suffered as a result of violating the GDPR.
Accountability & Compliance
The GDPR places greater emphasis on the documentation that data controllers must have to demonstrate their accountability. Compliance with all the areas of GDPR will require organisations to review their approach to governance and how they manage data protection as a corporate issue. One aspect of this might be to review the contracts and other arrangements you have in place when sharing data with other organisations.
You can be audited by the relevant body at any time.
Exercise for you:
Make an inventory of all personal data you hold and examine it under the following headings:
Why are you holding it?
How did you obtain it?
Why was it originally gathered?
How long will you retain it?
How secure is it, both in terms of encryption and accessibility?
Do you ever share it with third parties and on what basis might you do so?
GDPR should be an essential element of your business and will need to be a discussion at board room level. Furthermore each staff member should be trained on the collection, use and protection of data. If you have not started you should act now as any delay in preparations may leave your organisation susceptible to compliance issues following the GDPR’s enforcement.
To those who say “You would say that, you are trying to sell me something”, correct we are, but we don’t believe it changes the above facts.
GDPR and Data Compliance Awareness Course
Against this background, Bluezone Technologies offer a cost effective GDPR and Data Compliance Awareness Course and while it will not be enough to make you fully GDPR compliant, it is a good place to start so your staff know what is expected of them.
Courses are £10/€12 per person.
Courses can be bundled and bulk discounts are available on purchases of 10 or more courses.
Watch out for our Data Confidentiality and Security course coming soon, a practical guide for your staff.