Responsibility. Forget the alarmists predicting GDPR will be the next millennium bug and the swathes of companies using its forthcoming introduction as an easy way to boost their coffers. Essentially, GDPR can be summed up as a responsibility regulation.
Many small to mid-sized companies are fearful of the impending regulations, of the potential costs involved and are worried that they may need to recruit a specialist, potentially risking over insuring themselves…. but I’d like to dispel the myth that GDPR compliance is the beast that its reputation has us believe.
Whether a data subject, processor or controller the simple fact is that human empathy and common sense overlaid with responsibility for data which has been ‘loaned’ (not given) will allow practical compliance with GDPR to a level which is likely to be policed, is ethical and is in easier reach than most sources would suggest.
Many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act (DPA), so if you are complying properly with the current law then most of your approach to compliance will remain valid under the GDPR and can be the starting point to build from. However, there are new elements and significant enhancements, so you will have to do some things for the first time and some things differently.
Under the regulation, you must inform the ICO in 72 hours if you have a data breach. While a data processor of the data you hold (control) must assist you in finding out about the data breach, it’s the responsibility of the controller to report it. This is relevant whether a company is holding or processing the data themselves or it is with a cloud or datacentre provider. Fines are applicable for both the breach and the potential lack of reporting it. Whilst not all breaches may require reporting it makes sense to ensure this step is included in processes.
The GDPR also places greater emphasis on the documentation that data controllers must keep demonstrating their accountability, which, with some foresight and planning, is one of the easier items to tick off as complete and compliant.
Once a level of understanding is reached around the types of data an organisation holds, where it holds that data and what potential issues could arise around this a planning exercise is needed to map out which parts of the GDPR will have the greatest impact on your business model and give those areas due prominence in your planning process. At this stage a decision on whether a Data Protection Impact Assessment (DPIA) is required on these areas would be pertinent.
Remaining areas requiring forethought and consideration centre around:
Subject Access Rights – the logistical implications of having to deal with requests more quickly.
Consent – positive opt-in and freely given, specific, informed and unambiguous.
elucidate will work with small to mid-sized organisations to navigate the so-called mysteries surrounding GDPR without costing them a small fortune.
GDPR will effect your business and elucidate can help you become fully compliant.