With 87 working days to go before the implementation of the EU General Data Protection Legislation on 25th May 2018 the pressure on businesses and organisations to be Data Protection Accountable is enormous.
Much has been written and articulated in the public arena in recent weeks, months and years regarding GDPR, its implications and effects for the corporate world and for organisations who collect and store personal information. Safe to say it cannot and will not business as usual after 25th May.
Powerful rights are afforded to individuals under GDPR. Essentially, control is given back to you and I as to how our data is collected, stored and shared by any organisation or business. From the Sole Trader, to the Partnership, SME, GP surgery, dental surgery, legal practice, charities, sports clubs. Such businesses and organisations and others are now legally obligated to review their data protection policies and procedures to ensure that they are Data Protection “Accountable”. Accountability is the new “buzz word” in the world of data protection. Failure to demonstrate “Accountability” by 25th May or at least illustrate that it is a work in progress will no doubt attract the attention of our Data Protection Regulator, Helen Dixon and her team of enforcers. Over the past 2/3 years millions of Euro’s has been pumped into the Regulator’s budget by the government to ensure that her office is adequately resourced both in financial terms and staffing levels.
Without doubt, post 25th May this ground-breaking legislation will be very rigorously policed, EU GDPR implementation has made Data Protection very real and failure to comply with the onerous demands will be reflected in the fines and sanctions handed down. Monetary fines of up to E20,000,000 (or 4% of annual turnover, whichever is the greater). The Regulator will also have power to potentially close a business in the event of significant a data breach.
ISME, the independent representative body for SME’s published a report on 12th January 2018 relating to a survey they conducted with members relating to their knowledge of, compliance with and actions taken regarding preparation for GDPR. Their findings make interesting reading: 82% of respondents confirmed they were aware of GDPR, 62% could not identify any changes that GDPR will bring and 70% are unaware of the steps they need to implement. With so little time before 25th May these figures are somewhat worrying and I fear reflect complacency and lack of clear understanding of the impacts and effects of GDPR.
A crucial starting point in GDPR understanding and preparation is “know your business”, organisation club, charity. Identify the categories of data collected, how that information is gathered, for what purpose, is the data going to be shared internally/externally? Are security measures adequate to protect sensitive data? Having identified the categories of data that are collected and how that data flows a review of current policies, procedures and IT systems should be conducted. GDPR introduces several mandatory policies and procedures and I strongly advocate business owners and organisations become aware of these additional requirements and implement them accordingly.
Gone are the days where it was perceived that Data Protection was owned by the IT Department. Under the regime of GDPR and the mandatory principle of “Accountability” everyone who “touches” personal information is individually responsible for the processing of that data. Therefore It is critically important for all businesses and organisations to implement and maintain an employee training programme on data protection and that the principle of Accountability is embedded throughout the business and organisation.
Great focus has been placed on the deadline of 25th May 2018, but do not think that post this landmark date the foot can be taken of fthe pedal. GDPR Accountability requires continual reviews and audits of business and organises to ensure that any new technologies, projects, staffing, changes in vendor/supply changes have taken data protection requirements into consideration.
As a Data Protection Consultant, my plea to the business community and organisations is please utilise the next 87 days and become aware of your GDPR obligations, responsibilities and implement the changes.
For support and advice on GDPR the writer can be contacted at firstname.lastname@example.org. Website www.monclaredataprotect.com