People talk about “making time to do things”. We all know that time is precious in both personal life and in business, but time is something that ticks away and is something that we can’t get back. A fortnight has slipped by already and we are two weeks closer to the 25th May 2018 deadline for GDPR. Hopefully, this period of time was used productively and you have asked questions in your own business about what GDPR plans were being made, and how they would be implemented to ensure compliance. For those who did, we’d be interested to hear what responses you got. If anyone has feedback drop us a line as it could help shape future articles.
HOT TOPIC – DON’T IGNORE IT
GDPR is getting plenty of exposure so in this case ignorance is not bliss. A lot of businesses are simply burying their heads in the sand, or saying “well nobody has written to me to tell me this is coming in, so how can they implement it?”. All you need to do is look on social media, check the printed press or listen to the news, it was a topic of conversation on BBC radio a few of weeks back. Ask your partners and suppliers what they are doing about GDPR.
Videos like this are already doing the rounds advising people of their rights. Raising awareness and teaching people how to report offences is only going to grow which means businesses may be on the back foot if not prepared. The heat is really going to get turned up if businesses have no processes in place for dealing with Subject Access Requests (SAR). Even if your organisation does not do marketing per se, if you collect, store or use personally identifiable information about people in any way you will need to comply. https://ico.org.uk/for-organisations/guide-to-data-protection/principle-6-rights/subject-access-request/
With two more #gdprexpress events this week, we had some great feedback from some micro businesses and SMEs. They felt that that examples shown talking about action taken on major brands, and talk of the headline fines of up to £17Million / €20M or 4% of global turnover was not “real world”, almost bordering on scaremongering. It is important that businesses do not simply focus on the possible fines. Reputational impact could actually do more damage. The ICO actually prefer NOT to fine people where possible.
They prefer would rather they address issues using correctional measures if they can. Fines tend to be a last resort. We agree the headline big numbers look scary, and the reality is they will be based on a sliding scale.
The severity of action and the magnitude of financial penalty ultimately depends on the nature of the issue in the first place. If you are at the wrong end of an investigation but are seen to be taking the right steps, and can demonstrate that you have the right processes in place then the action or fines might be less severe. That said a “small” fine in the eyes of the Information Commissioner’s Office (ICO) could still be enough to cause major cashflow problems for a small business.
Even if you are not sending spam texts or unsolicited marketing emails you may still be placed under scrutiny. Action can be taken if your website is simply not secure and is hacked and data leaked. If you had to shell out £5,000, £10,000 or £60,000 for something you had not planned for, would this put a spanner in the works for your business? With a little planning and increasing awareness in your business, the risks of action being taken can be drastically reduced.
REAL WORLD EXAMPLE FOR SMALL BUSINESS
An investigation by the ICO recently found an SME trading in Berkshire as Boomerang Video Ltd, failed to take basic steps to stop its website being attacked.
Sally Anne Poole, ICO enforcement manager, said:
“Regardless of your size, if you are a business that handles personal information then data protection laws apply to you.
“If a company is subject to a cyber attack and we find they haven’t taken steps to protect people’s personal information in line with the law, they could face a fine from the ICO. And under the new General Data Protection Legislation (GDPR) coming into force next year, those fines could be a lot higher.” She added:
“Boomerang Video failed to take basic steps to protect its customers’ information from cyber attackers. Had it done so, it could have prevented this attack and protected the personal details of more than 26,000 of its customers.”
Rule of thumb:
If you operate a website (and who doesn’t these days), or you make websites for clients make sure you have suitable protection in place. Penetration testing can help identify vulnerabilities. Even better if you have round the clock penetration testing as opposed to once in blue moon.
It’s good to talk
Talk to your staff and suppliers about GDPR and raise awareness. Remember help and training is available from many places so this need not be a big and scary thing. As always there are some great FREE Self Assessment tools to help you make a start. http://www.hm-network.com/free-gdpr-tool-kits/
Getting your staff trained can actually be very straight forward, it can be built into daily tasks and not disrupt your working day.
If you would like any information on upcoming #GDPRexpress sessions, would like a consultation in any of the areas discussed in the blog posts or simply want to chat about connectivity you can email us at firstname.lastname@example.org or call 03333 444 190.