GDPR and its new requirements have noisily crept up on us over the last number of months. It is gathering a head of steam as we fast approach 25 May 2018.
DLRT and TALL Group have been preparing for this for quite some time. As data processors, we are keenly aware of the importance of data control and integrity. Right across our businesses we have been reviewing and refreshing policies.
GDPR is not something to be scared of. We have been managing data for over 30 years, and have accreditations for ISO 9002 2015, ISO 27001, and Cyber Essentials Plus coupled with an embedded internal culture of confidentiality and awareness of the importance of “right first time”. All this has positioned us very well for its introduction.
We realise we did have a head start in the process, being ISO 27001 accredited and having Cyber Essentials Plus. That is not to say we rest on our laurels – no – to the contrary, we have and will continue to work with our accreditation partners and our customer’s Risk and Compliance teams to assess potential risks and pre-empt potential gaps.
This is not a race to the finish line but the start of a process. The start date of 25 May 2018 means that from that date onwards we need to continuously and consistently monitor and tweak what we do and how we do it.
GDPR in its essence is an enhancement to existing EU Data Protection laws, differing only in that it now calls out the right of the individual and threatens large fines where Data Controllers and Processors have not put in place the necessary security protocols and infrastructure to protect and serve their customers under the laws outlined.
GDPR is an enterprise wide undertaking, it is not solely an obligation for IT, Compliance, Marketing etc., everyone within the organisations needs to be engaged and sponsorship must be seen to come from the top. Identifying why we hold data, who for, and how long, is an extremely important element in assessing potential risks. From a marketing point of view, do we have consent to hold information in the first place?
The headlines grabbing attention about GDPR relates to the enormous business busting fines that potentially could arise. As a business we take a very pragmatic approach. Any liability cover must be tempered with common sense and “reasonableness”.
Businesses who actively engage, understand their obligations and apply rigorous standards to their management of personal identifiable information (PII) should have nothing to fear in this legislation.
We have found that it is key to engage with your customers, take advice and direction from trusted experts, primarily the accreditation bodies – they are in it for the long haul and do have your best interests at heart. Doing this right is costly but a lesser cost than not having the business, suffering a substantial fine and or reputational damage.
No one wants to make mistakes but mistakes do happen, GDPR puts the onus on us as Processors to communicate immediately, determine root cause, develop a solution and reinforce process. As in all cases systems and processes are only as good as the people that operate them, education is key. Regular updates and refresher training will support and protect staff while also empowering them to deliver “Right first time”.
Peter Thomas is the Managing Director of DLRT, part of the Tall Group of Companies.
Free-Photos / Pixabay