The FAQ of GDPR
This article was posted on Wednesday, February 1st, 2017 in the category Uncategorised, and was written by Morton Bell
Are you preparing for GDPR?
Identity, DP and security for today’s business.
Here are 9 of the frequently asked questions we have been asked.
We hope this clears up some of your uncertainties concerning GDPR.
1) Is reviewing your security systems enough?
First and foremost, businesses need to be aware that GDPR comes into effect on 25 May 2018 and that means that your business should be prepared and have everything in place to ensure you are compliant by then.
The next point to consider is that so far as the ICO (Information Commissioners Office) is concerned, they will take the view that your business was already fully compliant with the Data Protection Act 1989 (DPA). Therefore this should merely be an extension of your responsibilities and everything that goes with that.
The following information should help answer some of the common questions that we are asked about GDPR and give you some guidance as to what to do within your organisation. If you feel you need more information please download our ‘Next Steps Guide to GDPR’ or contact us for further information.
As a business, we have members that have completed GCHQ Certified Training for assessing GDPR and we are in regular contact with the ICO about the regulation. Our aim is to help our clients and subscribers to make sense of the regulation and we will relay updates that we receive to interested parties, with more in depth help for our clients naturally.
2) So why am I raising GDPR as a discussion point?
Well, in our experience many companies have either ignored completely or only paid lip service to the current DPA, meaning that they are likely to be very underprepared for GDPR.
In some instances that means you are starting from Zero. Starting from nothing can sometimes make it easier to implement the new requirements and this we think is the case (for the far more in depth) GDPR, rather than trying to adapt what you already have in place.
3) Some companies seem to think it won’t apply to them, or at least not as much, due to their size or location.
This simply isn’t true, it is law and is applicable to all organisations of all sizes that hold ‘Personal Information’, regardless of your office location and yes that means it includes organisations in other non EU countries if they hold information about EU citizens.
4) But it’s not as though anyone is policing whether we are prepared or not!
This is true, there is no organisation that can knock on your door randomly and demand to see that you have put everything in place, and then either take action against you or give you a gold star for good behaviour.
However any complaint or enquiry by an individual could trigger this and even if that seems unlikely in your organisation, then consider the effect of a data breach and your responsibility to report it.
With Cyber Crime not only being prevalent but growing at unprecedented levels (20% increase from 2014-2015), the chance of you being hit by a malware which would require you to report the incident to the ICO is growing and is (to some extent) out of your control.
5) There must be some leeway or allowance for first offences aren’t there?
The ICO takes the attitude under the DPA that corrective action and guidance is more effective than punitive fines and they have openly stated that they intend to continue with this course of action for GDPR. So provided that you are neither deliberately negligent, nor a repeat offender and the severity of your breach is not too great, you will most likely not receive a fine.
There is a lot of scare mongering about GDPR currently and in particular about the expected actions of the ICO and the fines they will levy.
Much of the time the perpetrators of the scare mongering refer to the massive fines that could be levied (GDPR could see 4% or £17 million whichever is the larger Vs DPA £500,000 maximum), however the ICO has never (yet in its history) issued the maximum fine under the DPA and says that it certainly isn’t looking to make examples of organisations for minor infringements of the GDPR.
Having said that, the evidence is slightly contradictory, when you combine the fines under the DPA and the PECR (Privacy and Electronic Communications Regulations). In 2016 the ICO state that they only fined 16 organisations under the DPA which is true, however they fined a further 17 under the PECR giving a total of 33 fines in 2016. At the time of writing (August 2017) so far this year we are already at 44 (combined).
Whatever the figures are, the simple fact is that we all have to comply or face the risk of some penalty.
6) If we have put things in place by May 2018, is that all we need to do?
Organisations should be aware that GDPR should be viewed as a living process, you are required to continually review and assess the potential impact of all decisions, processes, practices and their potential impact on GDPR compliance moving forward. If you decide to offer a new service/product etc then you need to have assessed the potential impact of GDPR regulations and acted according to the results.
It only takes one enquiry / complaint from an individual to the ICO for them to have the right to knock on your door and ask to see the evidence of your GDPR compliance and the processes and continuous monitoring that you have put in place.
Our advice would be to put Privacy and Protection of data at the start of all your thinking and your actions, this is commonly known in the industry as Privacy by Design.
7) Ok, so if I ask my IT provider to work with my office manager to put things in place that will cover it won’t it?
The simple answer to this is no. GDPR requires buy in and active involvement from the highest level to the lowest level, with specific subsets of people being involved in each project and always having consideration for who should have access to what.
Think about Privacy by Design as being an extension of the old ‘Need to Know Basis’.
Many people also think that IT alone, or worse, a single IT solution will make you compliant. While IT will obviously help to protect data in the first place, there is no single vendor or single solution that can make you compliant. The watch word is ‘Collaboration’, and this should be orchestrated between all departments and suppliers that have any involvement with anything to do with your data.
8) Surely there is a document that states exactly what we have to do to become compliant?
I am sure we all wish this was the case, but sadly it is not.
GDPR as a regulation is based purely upon Principals, in other words the regulation and the regulator (being the ICO in the case of the UK), state only what you should have in place to be considered compliant and not how to get there. How you get from where you are now to the point of compliance is down to you to decide, assess, and implement and then to review.
9) So how do I get there from here?
Well, this will depend on where you are starting from, but our advice (unless you are very conversant with management and quality systems and the DPA) would be to look at your organisation from the outside and to assume that you have nothing in place.
Identify your data and then who are the controllers and processors, as these people could potentially be personally liable for data breaches.
Then as a top tip, we would recommend that you use Risk Assessments and Risk Mitigation and Management as your starting point.
If you would like further information on how to move forward, then subscribe to our mailing list and receive guides and information on GDPR and other subjects around Risk management. The next guide being released is the ‘Next Steps Guide to GDPR’ which outlines the actions that you can take to set you on the right path to compliance.