AM I GDPR COMPLIANT?
Despite GDPR being in force for over 18 months, many businesses are still struggling to achieve full compliance. Even with the prospect of crippling financial penalties, data privacy security remains an elusive objective and evidence of slow adoption is apparent.
Global consulting group, Capgemini, recently assessed GDPR compliance adherence across several firms with their “compliance in the digital century” research report and found that “Compliance is below par – fewer than 30% of companies claim to be compliant with the GDPR.
The report also discovered the main issue that organisations struggle with is outdated IT infrastructures. For many businesses, the costs to update and implement a secure data protection framework, and the effort involved in manually sifting through a data wilderness appear insurmountable.
It is essential to take on board that no one organisation is the same, each with varying classes of customer bases, data storage mechanisms, classifications of the level of privacy, whether it is sensitive or general. Therefore implementing GDPR is will need defining on a case-by-case scenario as defined by the compliance expectations of the ICO. It is incorporating an action plan, starting with an understanding of the requirements, through to an end goal and a clear strategy for maintaining compliance. An action plan alone will prove to the ICO that an organisation is taking its data privacy responsibilities seriously.
The initial furore of GDPR compliance has dimmed somewhat, and complacency appears to have settled in – a worrying trend. Especially in light of the powers conferred on the UK’s chief data protection officer, Elizabeth Denham. Since the inception of GDPR, the ICO (Information Commissioner’s Office,) has taken on the likes of Google, Facebook, Equifax, British Airways, the Marriott Hotel and recovered millions of euros in fines. British Airways alone suffered a significant data breach where hackers obtained approximately 500,000 of personal data of BA customers, the resulting record fine of £183.4M sent out shockwaves in the business world.
Put together an action plan today to ensure future compliance starting with your website. We live in an intensive digital era, and constant updates to data protection consume businesses and individuals alike. From cookies to driving a car, data plays an enormous part in our lives whether we realise it or not.
Just recently, cookies and online tracking of customers have come under closer inspection in the European courts. Website owners cannot assume that a visitor consents with the use of pre-ticked boxes. Instead, that box must be empty allowing the visitor to make an active “consent choice” rather than presumed consent, according to the Court of Justice of the European Union.
This case highlights the underlying ethos of the GDPR, the power of the individual to control how companies collect, store and process their data but at the same time, proving a headache for ad agencies.
Putting together an action plan and checklist will go a long way to ensuring compliance, look at the following and tick off each one if you a) understand and b) comply with the law. The action plan should contain a list of all the crucial undertakings, including:
A full review of company data
This document will map out exactly where data comes from and what happens with this data. Please include a full account of the type and age of the data, the relevance of the data, sensitivity, where held, and everyone who has access to it. Keywords that path the way to compliance are:
- Up to date
Ensuring data meet these target keywords is the vital first step on the journey to compliance and build a foundation on customer and staff relationships.
Be a data minimalist
A fundamental feature of the GDPR is regular housekeeping. This task entails regularly clearing out data that is no longer required or of any benefit to the business. At the point of creating your checklist, the intertwining theme should always be questioning the reasons for and purposes of the data. Data is the core of many businesses and data deletion may not be financially feasible. Instead, look at data management and the options of encryption or pseudonymisation.
Unless you have been on another planet lately, you will not have missed the highly publicised naming and shaming of some big tech organisations concerning insufficient security measures allowing customer data to fall into the hands of hackers. Protecting data has to be at the forefront of any organisation. Putting in place extensive policy documents on how you implement security and data breach prevention measures is something you can start on if you have not already done so. Most importantly, in your GDPR policies and procedures is what to do in the event of a data breach. The ICO have strict requirements on how an organisation should act most importantly minimising risk as far as possible by informing data subjects and relevant authorities.
Security measures extend to your third party suppliers, GDPR requires contracts to ensure data privacy with anyone whom you outsource work.
Implement these GDPR essentials:
- Legally obtained consent in clear transparent language enabling withdrawal of consent
- Data subject legal rights to
- a) data deletion,
- b) data transfer
- c) data rectification
GDPR is a challenge and a pain for many businesses, but carrying out an overhaul of data management and housekeeping will make your organisation efficient, organised, and ready for the unexpected.
It will also help you find favour with the ICO should a disaster ever occur, and provide your customers with fundamental data security, simultaneously gaining their trust in a competitive business environment.