Ian Moyse, FAST & Cloud Industry Forum Board Member Follow at www.ianmoyse.co.uk & www.ianmoyse.cloud
You may have heard the term GDPR (General Data Protection Regulation) and if not you certainly will. As we approach May 25th 2018, when this becomes European law, the noise around this will grow.
Don’t stop reading now as the acronym seems boring and not relevant to you, it is and it is !
What’s happening is that a new law will come into play across Europe, yes the UK included too, Brexit or no Brexit it will apply! This law will effect organisations with operations in the EU, those that trade from one EU country to another or those that simply trade within territory.
This is not another year 2000 hype where there was no impact or pain. The impact is already happening and the pain is going to get greater!
If you’re not sure what the GDPR is or how it will affect your business, now’s the time to start paying attention. This is all about company’s legal liability to protect data they hold on staff, customers and in fact anyone where personal details are stored and the impact (fines £) that are going to ensure if you don’t!
So this encompasses cloud, on premise, IOT and mobile, no matter where you store data, if it meets the criteria of personally identifiable and relevant information then you need to comply. Ignorance will not be an excuse and in fact will put you in a far worse position. Better you can demonstrate your diligence of action and how you have tried to mitigate any risk as a defence. It is good practice to be able to demonstrate that you have attended training, acted on the process recommended from it and tried to do the right thing and you have a far better chance of being treated leniently and worked with rather than against it should the worst happen.
There is a wealth of information and articles on GDPR available, unfortunately they mostly quickly defer to complex detailed information and do NOT give clear and plain guidance as to what it means and what needs to be done, hence stats such as “96% of businesses do not fully understand GDPR (Source : Symantec 2016)
Any firm operating in the EU will need to legally comply and demonstrate that they hold personal data securely and have strong processes around this for data holding, security and destruction.
So let’s make this clear and simple in 3 buckets, why it is, what it is and what you need to do;
Data is important and you have a legal responsibility to do certain things
Data breaches hit all-time record high in 2016 with an increase of 40% over 2015!
You may have already heard about some of the high profile names who had such breaches in the last couple of few such as Three Mobile(UK), French naval defence contractor DCNS, Vodafone (Germany), Tesco Bank (UK) , Bundestag (Germany), the Czech Ministry of Education, the Irish Department of Social and Family Affairs, Kiddicare (UK) and we could go on and there will be more of these stories coming for sure!
Data Protection Laws are long due an overhaul. For example most Data Protection Acts have not been revisited since the late 90’s at best, since when the world has changed radically; the internet, cloud, and mobile changing the volume of interactions and data exchanges taking place.
What GDPR is
GDPR is the new law that requires from May 2018, any business that operates in the EU or handles the personal data of people that reside in the EU must implement a strong data protection policy to protect this client data. It is the EU’s way of giving customers more power over their data and less power to the organisations that collect and use such data for monetary gain. Businesses that fail to meet the new standard will face fines of up to 4% of global turnover or €20m (whichever is larger) and businesses that suffer from a data breach without having adequate measures in place will suffer the same.
So this is a law, something mandatory you need to take action on as a Director of a firm with Director liabilities and something that your customers care about. See this not as a threat but as an opportunity to get your ship in shape and proudly state to customers you have been on GDPR training and are taking action with processes to be a good caring supplier. Consider putting a GDPR and how we care for your data section on your website, alongside contact us and about us.
What Action you need to take…. (and Don’t Panic)
You need to be prepared as a business to take action now and to mitigate the risks you face.
Do not assume you are immune from a security leak of data and that you can deal with it afterwards! By taking action now you can help reduce the risk of it happening and by taking demonstrable action will provide you a defensive protection should the worst happen.
The May 2018 deadline may seem a long way off at the moment , but businesses must act today in order to understand what it will take for them to achieve compliance and to have time to do it and to do it without panic and fitting it in alongside your day to day running of the business.
You need to get the ball rolling and have a plan of actions for your journey to GDPR, so that come 2018 you have no panic, no worries and can assure your customers of your compliance.
There is already much scrutiny from customers on non EU businesses, such as USA cloud providers operating in the region and there will be increased expectation under GDPR as more customer promote their GDPR compliance as a comfort feeling for their own customers.
There is much talk for example that every organization will need to appoint a Data Protection Officer and that failure to do so will expose you to possible huge financial sanctions. In some cases this may be required, you need to understand this now and the most effective plan you can take to ensure you are compliant in the most effective manner for your business.
The last Information Commissioners Office survey found that 75% of adults don’t trust businesses with their personal data. ). So as well as being legally compliant you can also utilise this in a positive way to assure your clients are assured in dealing with you.
You will find many offering 3 day courses and/or complex expensive consultancy and whilst for some this may be appropriate, for most allocating someone in your business to own the process as a special project ownership and sending them on a day’s awareness and process training workshop now will get you on the way with plenty of time to work it out well for your business.
If you wish to know more and find out what sort of training options are available and costs checkout WWW.GDPR.DIRECT.
Ian Moyse, FAST & Cloud Industry Forum Board Member
Follow at www.ianmoyse.co.uk and www.ianmoyse.cloud