4 Dec 2019 by Mike Weaver
Inspire: Winning Hearts and Minds
Successful change management requires inspirational leadership. Here’s how to keep your team on track.
While many enterprises are taking steps to become compliant with the European General Data Protection Regulation (GDPR), a recent YouGov study on GDPR revealed some concerning insights. Out of 2,000 businesses surveyed:
The impact of non-compliance for small to medium enterprises (SMEs) is a recurring concern voiced throughout the conversations, articles, and general noise about GDPR. It is these organisations who may lack the resources, guidance or even awareness of the impending regulation, and it’s also these businesses who could stand to suffer more heavily through failure to comply. With unprecedented fines of up to 4% of annual income, or €20m (whichever is greater), these penalties could do lasting, or fatal damage to any company’s bottom line. Many large organisations or corporations have contracted GDPR teams, or specialised consultants, but for many SMEs this may not be affordable or achievable – but that doesn’t mean that GDPR planning and strategy can be ignored, or put on the back burner.
GDPR is one of the most important pieces of IT legislation in EU history, and it is designed to deliver better information security for everyone, and improved international business through unified legislation.
When approaching a big project like this, sometimes it’s helpful to start with the basics.
The Information Commissioner’s Office (ICO) is the official source of all GDPR information. They have created a number of quick guides specifically for SMEs, and even offer advisory visits to help your organisation. If you have already made some changes in order to follow compliance, the ICO has also created a detailed checklist for you to follow.
Whether you’re a huge multi-national or a much smaller set up, each point on the list below is relatively simple and fully achievable. By following these points, you can begin to further protect the rights of the people giving you their data, and head on your way to GDPR compliance.
Using plain language, tell your customers who you are when requesting data. Explain why you’re processing their data, how long it will be stored for, and who will receive it.
Get your customers’ clear consent to process the data. This could include something like checking age limits, and getting parental consent if your organisation is using social media data from a younger audience.
Let people access their data, and make it available to other companies (if requested by the customer).
Inform people of serious data breaches as soon as possible. This point is a crucial part of GDPR compliance, and failure to do so, has serious consequences.
Much like the famous Google case, the ‘right to be forgotten’ is now applicable. Personal data should be erased if asked, but only if it doesn’t compromise freedom of expression or the ability to research.
If you use profiling to process applications for legally binding agreements, you must inform your customers. Make sure you have a person (not a machine!) checking the process if the application is rejected, and offer the applicant the right to contest the decision.
Allow people to opt out of marketing that uses their data.
For personal information on health, race, sexual orientation, religion and political beliefs, use extra safeguards.
Make sure to prepare appropriate legal arrangements when transferring data to countries that have not been approved by EU authorities.
From development to release, ensure that you build data protection safeguards into your future products and services.
If you process data for another company, make sure the contract is watertight, and list out the responsibilities of each party.
You don’t always have to have a Data Protection Officer, but there are a few factors that decide whether you need one. The type of and amount of data you collect is important, as well as if data processing is your main business. There isn’t single rule specifically for SMEs when it comes to appointing a Data Protection Officer, however the role is mandatory for all organisations (regardless of size) if:
SMEs aren’t required to keep records of processing activities unless the processing is regular, likely to result in risk to the rights and freedoms of data subjects, or deals with sensitive data or criminal records.
What should the records contain?
If you process and keep information about your customers, employees or suppliers, there is a legal obligation to protect this information, and you must:
A data protection impact assessment (DPIA) is mandatory for organisations that process “high risk” data. If an organisation processes data to the extent that the processing can interfere with the rights and freedoms of a data subject, a DPIA is necessary. But impact assessments are useful for all organisations, as it allows them to find and fix problems at the early stages of a project. It’s highly recommended that you carry out impact assessments to identify, mitigate, and minimise risk.
Where Do I Begin?
GDPR doesn’t mean fighting through more red tape, but instilling confidence in your customers as they navigate the digital world.
Remember, even if GDPR compliance feels difficult and time-consuming, once you get there, it will become a case of maintaining the correct practice and processes you have adopted. You must be compliant by the 25th May 2018 to avoid the risk of fines, sanctions and bans. Our advice? Use the wide range of resources available to support you, do your research, and if you haven’t started yet – now’s the time!
Cogmotive is the leading global provider of enterprise level reporting and analytics applications for Office 365. Find out more now.