Recently I have been working in the area of GDPR compliance. When I first properly understood this new regulation, coming into force in May 2018, I was quite shocked.
Data Protection was previously, like many other companies I’m sure, a tick box exercise, a best effort. We are a small business after all, so it doesn’t really matter, does it? Who is going to find out?
What I discovered is sending alarm bells ringing.
- GDPR has teeth, I mean real teeth. Fines of between 2 and 4% imposed for reported breaches
- GDPR can even extend to personal accountability to the Data Protector, and its individual directors. Much as the HSE and FCA can disbar, imprison, or fine individual directors, then GDPR can do also
- This act will cover ALL aspects of your business, from employee data to customer data, methodologies of supply chain management and the obvious methods of security relating to your IT AND non-IT systems
- Doing nothing is NOT an option
- Proving that you are doing something is mitigation but ultimately over time this will be discounted unless progress is shown
- This is a bedrock upon which your business will continue to operate, or not
- Supply chains will very shortly be auditing you, to ensure compliance. So, when your customers check that you are compliant, this will be a trigger for continuing to do business with you – or not
There is a lot of noise in the market at present. Seminars are being offered by most professional firms that outline the scope of the act. There will be a real need for legal advice at many turning points, IT verification from independent external specialists, and documentation to show compliance along the way
Two things come to mind.
- There is an IT component to GDPR, obviously as our data is mostly held in electronic form (paper based data is also covered by the Act)
- Then there is a Legal component to GDPR, as most of our engagement contracts between customers, suppliers and internally will need revising to catch up with the new legal requirements.
All of this boil down to one question – how long can you stay in business without being compliant?
Much like driving your car without an MOT, the answer is of course – until you get caught.
But with systems that connect us to the world and back, that timeline could be extremely short.
What to do – practically speaking
Firstly, know what needs to be done – specifically
That requires an audit of your company and its systems. Don’t delay in finding an independent auditor, and engage them quickly before the rush in a few months’ time
I see many businesses who believe they can manage this internally, delegating this to the IT or auditing functions. Whilst this may seem financially attractive, having an independent steer to guide your people in the first steps, and then act as a point of expertise, is invaluable
If you are relying on your website provider to give you a clean bill of health, don’t forget the adage of turkeys voting for Christmas. If you fail to take control of the website environment, how confident are you that your supplier will disclose issues that may reflect badly on them, or cause them cost to fix for you? Again, have this independently checked – a vulnerability test may cost a few hundred pounds, but then you are in possession of facts.
Engage with your legal advisors to ensure that ALL of your contracts are tight. This even extends to ad hoc advisors to your business, who in the course of their work may contact your data, which you must then control with legal contracts and processes.
The last point is about company CULTURE
I’ve noticed that many of the more severe prosecutions, led by the Health and Safety Executive and the Finance Conduct Authority, refer to a CULTURE of inappropriate behaviors. One that seeks to rush about, just prior to an inspection, to complete paperwork and audit trails, whilst in the meantime getting on with the “normal” business. They are penalised more heavily due to this attitude, and lasse faire approach
Cultural lead, from the Board room, is needed to drive through compliance with GDPR. Acceptance and promotion of the acts of regular internal audit, risk reviews, adherence to the terms of GDPR without exception is needed to become a compliant business.
Let’s face it, if your finance provider or bank, regulated under FCA rules, failed to take their responsibilities to you seriously, you would expect punitive action to result. If your supplier didn’t care so much about Health and Safety and an accident happens, you would expect ramifications.
GDPR is such an Act. It carries responsibility up and down supply chains, and for this reason will permeate through the business world very quickly in 2018.
The question is now; what have you done so far, is it enough, and what will you do next to lead your business?