GDPR UK facts and fiction.

I’ve recently attended a number of forum’s and conferences and the subject of GDPR comes up regularly. Unfortunately for most its still being reported as “you must do this or you risk hefty fines”, and although this is correct, its not necessarily the UK ICO’s intention.

https://iconewsblog.org.uk/2017/08/09/gdpr-sorting-the-fact-from-the-fiction/

The ICO has advised that fines will be as a last resort, and it will aim to educate and support businesses with data breaches etc. For most part this knowledge is probably a relief to many business owners, but lets not forget GDPR is a requirement by May 2018, and we need to act appropriately.

GDPR is all about handling data responsibly, and everyone should take notice of that. With almost infinite storage available at our fingertips its very easy to horde information on a “this might be useful” basis, but that information may be old, irrelevant and incorrect.

There are a lot of points also being announced, some are not necessarily in context.

DPO – One big requirement is that businesses will need to appoint a DPO. This is true, but only if your core business is the processing of personal (and sensitive) data. Most businesses who provide transactional services or purchases, will be except from this requirement.

Consent – You must get consent for everything – this is not 100% correct, you need to get consent if all other requirements (in article 30) are not met. Legitimate interests allow businesses to collect data which benefit the user as long as it doesn’t infringe their rights (in which case we shouldn’t be using it), so in the most part this will remain similar to DPA in so far as data can be collected, but as long as your upfront about it.

EU GDPR is good practise, it is a business wide challenge and not just an IT issue. The fine aspect is making businesses owners more aware which is a good thing, but although the EU GDPR rules are more informative than DPA there are still areas which are open to mis-interpretation.

Steps for businesses working through GDPR

  • Know your responsibilities as a Data Controller. Identify the data you need vs the data you collect, why you are collecting it, and ensure that only those who need to access this data can.
  • Ensure that your providers who will be your data processors (CRM providers, e-commerce software, hosting providers) have EU GDPR in their contract and their businesses are compliant.
  • Ensure you have an audit of the security of your systems, there are services provided by partners who will maintain this as a service (security as a service) consider this if you do not have the resources to maintain adequate security in-house.
  • Carry out a GAP analysis (comparing where you are against where you need to be). Plan out the goals to achieve EU GDPR and monitor and review your progress.
    • partition the data so you can identify what data is personal and may be specified as a request.
    • know when you obtained consent (directly or by legitimate interest etc), and ensure that you have an audit on how you renew this each year.
    • ensure consumers can opt out without difficulty, and ensure that they can (if requested) be forgotten (to note: this is unlikely to apply to order data where accounts are required by law to know who you sold it to).
    • ensure users can correct their data.
  • Regularly monitor the security of your systems, and the compliance of your software (your own or 3rd parties).
  • Review your business policies to ensure that you are considering the security your data as part of the design, not as an after though.
  • Train your staff about their obligations to data security.

Unfortunately the Data Protection act has been something most businesses had assumed wasn’t applicable to them. With GDPR it splits the responsibility between both the Data Controller (the business) and the data processors (the partners providing the technology that interacts with the users). With both sides focused on ensuring that they act appropriately and avoid fines this will give better transparency to data collection, and improve security.

GDPR isn’t something you can do overnight, so if you’ve not started, I would strongly recommend looking at the official preparation steps documentation, and make a plan.