It’s been almost a week, and you’ve woken up each day and wandered through the internet with all the resolve of someone who has officially survived the end of the world but are expecting zombies to come crashing in at any moment.
Let’s face it, GDPR Day was practically the 2018 equivalent of Y2K, with everyone scrambling about in a barely concealed panic, stocking up on loo roll and batteries while pretending that everything’s under control. Then you woke up and the lights still turned on, computer chips still did what computer chips do, and life went on (albeit with a greater number of pop-up privacy notifications).
However the EU means business, and GDPR regulation is now officially in force across Europe. So, what should we consider as next steps if we come face to face with a data privacy zombie because we forgot to lock a window in the safe house?
Do you have a clear understanding of the personal data your organisation uses? Keep in mind that by “organisation” we’re not limiting the discussion to businesses, because the use of personal data by a “natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data” fits squarely within the GDPR and the UK Data Protection Act (2018).
You will need to know where your data comes from, what you do with it, where it is stored, whether it is transferred to a third party (e.g. payroll processor, marketing company), whether you have a legal basis to use the data and how you can prove that it has been deleted properly when no longer used.
Without that “data map” you are almost certain to miss something and the potential ramifications for that need no repeating.
What are Your Foundations?
It’s Now, or Now
If you weren’t working on resolving your organisation’s data protection and privacy obligations before May 25th 2018 you need to start. Now.
Does it have to consume your full working week? Not at all. Allow the project flex around staff holidays. Allow it to soak into the business. Allow it to develop over the coming weeks and establish itself as “business as usual”. Yes this is a requirement, but it’s your project, and you create the momentum and drive it forward.
We are now on a continuum; where data protection and privacy is novel and slightly uncomfortable today, it will soon be the expected way to work for newcomers to the workplace. They will expect you to be a good “corporate citizen” and in a skills market, those organisations which can show that they take data protection – and the ensuing viability of their business – seriously will be the ones to attract and retain good staff.
Remember the torrent of emails you received asking for your consent in the run up to May 25th? Did they make you feel wanted, or did they make you feel like the final part in a box-ticking exercise from organisations you can’t even remember signing up with?
If you rely on “consent” as a legal basis for processing personal data for mailing lists (or whatever) then you need to keep the consent up-to-date. You need to provide an easy opt-out.
You know what makes opt-out REALLY difficult? Engaging, interesting content. If your communication raises even a wry smile with your intended audience then they are likely to keep you around. If your newsletter doesn’t SPEAK to them, directly to them, then they will opt out.
Know your audience. Serve them. They will stay, as long as you are interesting and honest. There are no tricks necessary beyond that.
If you are losing audience via opt-out? Have a word with your copywriter or marketing agency and even vote with your feet. You can opt out of their services, too…
Remember those people - your customers?
Say DPIA Three Times Fast
Any new service you wish to develop which uses personal data in a new way absolutely requires a Data Protection Impact Assessment (DPIA) in future.
If you don’t know what a DPIA is – get in touch. This article isn’t going to teach you everything you need to know about DPIAs, so speak to us.
The good news is that if you fail to undertake a DPIA when required, the fine is maxed out at only €10m or 2% of global turnover (it may be significantly less, but you get the idea)
If you develop software or systems which use personal data, you need to demonstrate that you have implemented “privacy by design” and “privacy by default” into digital and paper systems. I know, I know – paper systems still exist.
FYI this is another potential route to a €10m or 2% of global turnover fine, just so that you’re aware.
Get it in the DNA
There’s Always Politics
You may be relaxed about the whole thing, waiting for the ICO to come in and offer advice and guidance instead of a financial sanction. Just be aware that the GDPR needs to be applied equally across the EU and Germany has been running GDPR as their Federal Data Protection Act since May 2017.
If the supervisory authorities in Germany have made a judgment about poor standards of “digital health” (how organisations handle data, security, training and audit) then the ICO may have to bend to the precedent and fine, otherwise we follow the journey of a court case to the EU Court of Justice when Germany decides that the ICO has been too lenient and that leniency is enticing companies to relocate to the UK. Yes, even despite Brexit. Data protection is highly political as well as potentially highly litigious for users of personal data.
Get accustomed to audits. Part of the provision of GDPR is to allow the EU to bring in certifications for GDPR conformance. To assess compliance there will be – guess what? Yep – audits.
Okay, so maybe you don’t want to go through the hassle of certification when it arrives. That’s fine – you’re a business leader and it’s your choice.
But what happens if your competitors have a nice, shiny “badge” which shows that they take care of their customers’ personal data?
It may not be applicable to your business – we get that. But wouldn’t it be better to make efficiency gains by understanding your business from top-to-bottom and removing any inefficiencies and risk.
You’re a business leader and it’s your choice.
Transparency is a Good Thing
Hello Virtual DPO
You’re in a quandary. You have a legal obligation to take on board a Data Protection Officer(DPO), but you can’t hire a DPO or add to headcount because funds won’t allow. You’ve also heard that some DPO roles are commanding a salary of £120k p.a. and all of the associated perks. People you may train to be a DPO will see the pound signs and leave, after your investment in training.
Why not hire a retained DPO? Someone you pay for an hour a month to ask questions for professional advice, someone to liaise with the ICO, someone to keep you on track with your digital health, someone to deal with all of the elements of the GDPR you have no desire to sit and study and someone who isn’t going to leave for a higher salary elsewhere.
Talk to us about a “virtual DPO” service. Think of it as a tick in the box for you with the ICO and a safe pair of hands to do all of the stuff which is required by your business but which isn’t your business as usual.
Okay, you absolutely want a DPO on staff. Part of the regulation says that the DPO needs to be an expert in the subject. What about your staff? If they handle personal data they will need to show evidence of having been trained.
We can help with all of that, too.
The largest privacy certification organisation on the planet is the International Association of Privacy Professionals (IAPP). Our directors are Fellows of Information Privacy (FIP), which proves not only that they have the necessary privacy exams, they have referenced, proven experience in data privacy and protection over a period of years.
We are one of very few Official Training Partners of the IAPP in the UK and can provide the best training on EU data privacy to your nominated DPO and any staff. From a one-hour computer-based training system, through to four-hour, full-day or multi-day training, we can make sure that your staff have auditable history of data privacy training.
Audit. It’s that word again. It will become more important in coming years.
Get your Trainers Out
Starting Anywhere is Starting Somewhere
If you haven’t started your GDPR journey – start now.
You may not get to be fully in accordance with the regulation immediately, but someone recently said, “Being assessed by the ICO for compliance with the regulation is like a maths question in an exam. You may not get full marks if the answer is wrong, but you’ll get marks for showing you’re working out”.