momius - stock.adobe.com
There’s a lack of understanding that 25 May 2018 is when the General Data Protection Regulation (GDPR) comes into effect; the onboarding period started two years ago in May 2016, and it has been on the horizon for three years.
There’s also a misconception among businesses that when GDPR is introduced there will be a grace period, but the reality is that organisations need to be preparing now.
The scaremongering following the announcement of the UK government’s Data Protection Bill, with talk of colossal fines of £17m or 4% of annual global turnover for non-compliance, may make for interesting headlines, but it does not reflect the reality of the situation.
Out of the 17,300 cases brought before the Information Commissioner’s Office (ICO) in 2016, only 16 resulted in fines against an organisation.
Although increased fines will certainly sharpen the focus of many organisations, there is a suite of sanctions that may be imposed, such as reprimands and corrective orders, which will be more common punishments.
The ICO has backed up its positive position on the upcoming legislation with advice and freely available content to help support businesses through the process.
This shows the ICO not as a legislative attack dog, but as a supportive agency trying to protect UK citizens’ personal information and help businesses implement better data protection practices.
Organisations need to change their ‘corporate psyche’
The Data Protection Bill reinforces GDPR and the importance of protecting data among UK businesses.
If you read into GDPR, it essentially builds on data privacy and security principles that organisations should already be abiding by – the Data Protection Act has been in force since 1998, after all.
For organisations to be prepared for its implementation, there needs to be a change in corporate psyche regarding how they handle personal information.
Organisations need to look after their information assets with the utmost care because they are responsible for its safe keeping as custodians.
GDPR is a great reminder to businesses that people lend their information and organisations have a responsibility to look after it. It’s not just about confidentiality, it’s about integrity, accuracy and availability – and it’s just plain good business practice.
If you’re managing customer information in a fit and proper way, then requests for that information – known as subject access requests – are nothing to fear. GDPR is expected to lead to a significant increase in consumers submitting subject access requests, which require businesses to disclose copies of the data they hold on individuals.
If a company has done all the right work, finding and disclosing information for a subject access request will be easy to do, and there should be a streamlined approach in place for this.
There needs to be a culture change throughout whole businesses too. Data protection needs to be treated in the same manner as health and safety, and managers need to care about protecting their data as much as they care about protecting their employees.
A call for transparency
Organisations have played fast and loose with people’s information for too long. As citizens, we own this information and it is highly valuable and affects our wellbeing.
Due to previous laxity in the law, businesses have found loopholes to misuse it for their own gain, ultimately exploiting the people who trusted them with it.
Some large corporations have purposefully harvested information from their own staff or customers, and included in small print their right to reuse that information for purposes not originally intended – and this is not OK.
If businesses are going to misuse information for something outside of its original purpose, they should at least be transparent about it and let people know.
People have a right to know that information concerning them is being properly managed. They also have a right to request that information is deleted or returned. This piece of legislation does nothing more than put the control back in the hands of UK citizens.
Citizens’ rights come first
As long as businesses can demonstrate a sound and practicable intent to enforce data security practices, they should not be fearful of new data protection regulations and European Union (EU)/ICO mega fines.
In its Strategic Plan, the ICO states that it ensures that those responsible for information have all the support and guidance required to ensure effective information management. Therefore, the anxiety around GDPR should be put aside for the realisation that at the heart of it is the desire to ensure citizens’ rights come first in this digital age.
The DPO, who’s responsible for that company’s data and its protection, should own all responsibility and accountability for customer information and data.
They should know the answers to everything, from “What do we have?” to “Is it useful for us?”. These answers should also be known at an executive level, right down to new employees. Data protection is not just an IT issue – it’s everyone’s responsibility.
Why embrace the change?
- An initial outlay in resources may be necessary to ensure your information fundamentals are in order, but the long-term benefits of this could result not only in better legal and policy compliance, but could also give an organisation a competitive edge. Boards that display they are committed to taking citizen’s private data rights seriously may well have a positive effect on an individual’s choice of who they want to place their custom with in the long term.
- Clear, transparent and accessible information on how you process personal data will lead to public confidence in your organisation.
- A review of information holdings and correct storage and indexing of personal data will allow a much easier facility to provide individuals with information following data requests. It will also allow you to easily amend any data discrepancies with regard to an individual, as well as easily identify and delete personal data where necessary.
- The commitment to adhere to GDPR may also result in a review of data retention policies, which could lead to a realisation that organisations can decrease storage overheads, reducing the overall size of their digital footprint.