Just who is responsible for GDPR in a company?… Everyone starting at board level down…
GDPR In The Press
There was a flurry of press coverage, interviews, radio and TV coverage recently as the ICO began their campaign to make businesses and other organisations aware that there is now less than 200 working days until the EU General Data Protection Regulation (EU GDPR) and the new UK Data Protection Act become law on the 25th May 2018.
But here at Risk Evolves HQ we sighed with frustration and gnashed our teeth that the wonderful BBC continue to report this as a technology story.
Once more the responsibility for all things data related is expected to fall on the shoulders of the much maligned IT Department / Provider. As we have highlighted previously, the entire organisation has a responsibility.
Who Will Be Affected By GDPR?
The EU GDPR will touch every aspect of the organisation and it is important that organisations begin to work on a strategy now. And we very deliberately say ‘organisation’ as the new laws apply to all organisations – commercial, public sector, charities, not for profit, education, SME’s, sole traders – you name it, it is likely to affect you. In brief, anyone who collects and processes data, regardless of organisations sector and size. And regardless of whether it’s digital (ie. on a computer) or on paper.
The EU General Data Protection Regulation (EU GDPR) and the new UK Data Protection Act become law on the 25th May 2018.
The golden rule – if you have data that can identify an individual, then the data is personal. This could be through name, address, IP address, finger print etc. Personal information needs to be treated and respected in the same way as any other company asset. With care and respect, protecting it from damage or theft.
Why is GDPR more than just an IT Manager’s Issue?
- Human Resources / Personnel : they should manage starters and leavers to the organisation, ensuring that new starter information is correctly managed, that employment contracts and induction programmes make individuals aware of their responsibility to manage data as an asset. They may need to gain consent from the individual for DBS checks, DVLA checks and gain authorisation to process data for payroll, reassuring them that it will not be misused. If you provide information to pension providers, or companies that provide health care benefits, are their systems secure ? What are they doing as data processors to protect individuals information?
- Training : the on-going education and training of staff to ensure that they understand how data can and cannot be managed. This needs to include information on what to do if they think that they have lost data
- Procurement : they should ensure that any 3rd parties who may be used to process data follow the same ethos, that the data is protected, not shared with others, and that only the information that is required is passed to them. Equally, if they lose data, suffer a ransomware attack or suspect that their systems have been compromised,, how will this be communicated to you as the data controller ? And if you have outsourced your IT, does the provider have the correct processes and systems in place to manage your data securely ?
- Legal : are the contracts that are in place with Customers and suppliers robust enough in the new era ?
- Marketing : similar to the current legislation, marketing has to change to ensure that customers who have positively opted in to mail (both online and postal) campaigns receive emails,
- Security : is the office and other premises secure ? How is physical data (ie. paper, old laptops etc) destroyed ?
…. The list goes on ..
Management NEED To Take Ownership Of GDPR
However, absolutely key, the management team need to demonstrate to customers and employees that they are serious about the new legislation by taking ownership for ensuring the resources are available to support. This responsibility cannot be abdicated, and in some instances, they will need to assign the role of Data Protection Officer to an individual who can join them at Board level.
This is clearly not solely a technology challenge ! It is possible to avoid the over reported threat of fines by taking some straight forward and pragmatic steps now.
We understand that these changes all sound daunting, regardless of the size, sector or turnover of your organisation. However, help is at hand. Contact us to find out how the new legislation and regulations apply to your organisation, and for information on our no nonsense approach to becoming compliant.