Since the introduction of GDPR in May 2018, not much has changed. Is that right? Well if you believe what you’re told, it might seem that way. There are still many companies that remain uncompliant. It doesn’t matter how big or small they are, it’s the same story.
For many, it’s just another task they need to do. The reality is many have little understanding of what it means in practical terms. Which means it gets pushed down the priority list. And the ICO can’t be keeping an eye on everyone so let’s wait until it becomes an issue.
This approach is a familiar story for many companies. But GDPR is not just a tick box exercise, something you do once and move on. It should be an integral part of your business processes. A best practice approach to safeguarding one of your most valuable assets, your data.
GDPR is more of a journey
Elizabeth Denham Information Commissioner at the ICO has said previously that GDPR compliance will be an ongoing journey. The reasons are simple. These are a set of guidelines, open to a degree of interpretation. They are also constantly being updated. In a similar way to SEO and LinkedIn algorithms, you need to be on it all the time.
The most recent example of this is the Schrems ii decision. A privacy shield that was in place for any company within the EU transferring data into and out of the USA. By using this you were in effect complaint with GDPR.
The European Court ruled on a case brought against Facebook by data privacy warrior Max Schrem. He argued that this privacy shield did not prevent state data trackers such as CIA and Homeland Security from having access to the data. The court agreed and made the shield void.
There are other changes that the ICO implemented for GDPR that don’t make the news headlines. All relevant and important in keeping your data safe. But not always picked up within an organisation which can be frustrating when you believe you’re compliant.
Build compliance into your operations
Implementing GDPR across your business must be a practical exercise. And by that I mean you can’t advise on what to do without providing a workable solution. You need to know exactly what needs to be done to make you compliant. Going on a course and learning about the theory is great but how do you put it into practice.
There are also different implications depending on which part of the business you work in. Human Resources are very much about handling sensitive data such as personnel files. While in a call centre you are dealing with live data. You need to think about keeping it secure as part of your daily routine – passcodes on computers and no data left on desks.
Bespoke training for individuals based on their role is a huge benefit. It’s relevant to how they operate which means they can understand how it relates to their job and implementation just becomes part of what they do. Unfortunately, the human element within any process is the weakest link. Which is why anything you can do to minimise this area will be a big benefit to you.
Easy steps to keep yourself compliant
Once you have gone through the process of becoming compliant, it will not take much to keep you there. Here are some simple steps to follow that should help you.
- Conduct an annual review. Check your policy documents are still current and relevant. Obtain staff feedback, it’s always a great way to understand what is happening across the business.
- Should you suffer a data breach, once you have it all sorted, check your processes. Make sure you learn from what has happened and work towards mitigating any future risks.
- If you have a DPO they should be keeping themselves up to date with any changes in the GDPR. For those who don’t have a DPO, there are GDPR specialists who can do this job for you.
Ultimately, it’s that adage of ignorance is not a form of defence. The ICO would certainly not allow you to use this as a reason for not being compliant, even if you were at a particular point in time. Which is why it’s important to realise that your company data needs to be handled in the way GDPR defines. It’s fair to your customers, it’s fair for your staff and it’s a fair cop if you get caught.
Is non-compliance a risk you’re prepared to take?
Some businesses have addressed the requirements of GDPR. Taken the step and embraced it to protect their brand reputation. High profile fines are expensive, embarrassing in terms of being named and shamed but the impact on your brand is longer-lasting.
Not everyone looks at it like this. Many more companies have simply ignored it completely. Others have started to look at GDPR then pushed it down the priority list. It’s true, the ICO needs to catch you in breach of the GDPR but sometimes they can have help.
There will be people within an organisation who want to make it difficult for others. Usually, those who feel aggrieved by something that has happened to them. Remember, they are always the weakest link.
The one certainty is that GDPR is not going to disappear anytime soon. It is now part of UK law. So, the fact we have left Europe has no bearing on what happens next.
What stage have you reached with your GDPR – love it, hate it or indifferent?