To quote Churchill: Never has so much unwanted e-mail, been sent to so many, for so little return…
GDPR is here. Are you ready? Have you read the articles? Have you opted in? Are you prepared, planned and compliant? Has the sheer deluge of information just confused and depressed you?
Worry no more! DIGIT is – as always – here to help. We have compiled THE ULTIMATE GDPR GUIDE, with everything you could possibly need to know about GDPR in one simple, comprehensive cut-out-and-keep guide, because we care – and we know you feel that.
Let’s Start at The Very Top
Sorting Fact From Fiction
Elizabeth Denham, Information Commissioner, outlines the ICO’s stance on the flood of (mis)information about GDPR…
…but there’s also some misinformation out there too. And I’m worried that the misinformation is in danger of being considered truth.
“GDPR will stop dentists ringing patients to remind them about appointments” or “cleaners and gardeners will face massive fines that will put them out of business” or “all breaches must be reported under GDPR”. I’ve even read that big fines will help fund our work.
For the record, these are all wrong.
If this kind of misinformation goes unchecked, we risk losing sight of what this new law is about – greater transparency, enhanced rights for citizens and increased accountability.
“This law is not about fines. It’s about putting the consumer and citizen first. We can’t lose sight of that.
Focusing on big fines makes for great headlines, but thinking that GDPR is about crippling financial punishment misses the point. And that concerns me.”
Read Ms Denham’s definitive DIGIT article on sorting GDPR fact from fiction, busting the myths and setting the record straight.
What’s GDPR Really About?
Martin Sloan, Brodies, explodes the myths behind the regulation…
GDPR does not apply if personal data has been encrypted
Encryption is mentioned in GDPR as being one of the tools that organisations can use to help protect personal data, and it may help reduce the risks to individuals if there is a data breach. However, the processing of that data is still subject to GDPR.
I can buy a product/service that will make me GDPR compliant
While technology undoubtedly has its part to play in helping an organisation comply with its obligations under GDPR, it is not a solution. Organisations should look at why and how they are processing personal data. Be wary of anyone offering a product or service that is GDPR certified or that promises to make you GDPR compliant.
I can’t process personal data without consent
Under GDPR, the rules on consent are being tightened up. However, consent is just one of a number of legal bases upon which personal data can be processed. Consent can be problematic – it can be withdrawn and it gives individuals some additional rights.
If you currently rely upon consent then look at whether there is another, more appropriate basis upon which to carry out that processing – for example, it is necessary to perform a contract or it is necessary for the purposes of legitimate interests that you are pursuing. If you are unsure what your legal basis processing is, then get expert advice.
Read Martin’s amazing breakdown of GDPR myths, to find out what this new regulation is really all about.
Practical Steps to Achieving GDPR Compliance
Douglas Rintoul, IT Partner, Johnston Carmichael, looks at the simple, practical ways to make your company GDPR ready…
While senior management teams within organisations need to understand the implications of GDPR and buy into the changes required, it is also critical that this message filters from the top down, to everyone within the organisation who may have actions to take. Senior management need to lead by example, showing the importance of treating personal information in accordance with privacy requirements. Training needs to be mandatory for new starts and, for existing staff, a series of group sessions on how the changes specifically impact your business are needed.
The privacy of both employee and customer personal information needs to be at the core of the business processes in your organisation. It should not be an afterthought. Clearly this cannot change overnight, so what practical steps can you take?
Initially you need to document the business processes across the organisation, focusing on these questions:
- What different types of processing do you carry out?
- What data subjects are included for each of these activities?
- What personal data you hold and reasons for this?
- Where does it comes from?
- How does it get into the business?
- What format is it stored?
- Where is it stored?
- How, and who is the data shared with outside that area of the business and externally?
- What are the risks?
- How can they be mitigated?
- Building up a picture of where you are as a business is vital to understanding both the potential and identifiable risks.
Read Douglas’s expert in-depth article to get the complete run-down of the practical steps your business can take to make sure you’re compliant.
Identifying The Snake Oil Salesmen
Steve Gibson, Information & Cyber Security Specialist, helps you spot the charlatans and get-rich-quick schemes
Right now GDPR is becoming synonymous with ‘Get Rich Quick’ money making schemes that almost any business can tap into in order to exploit the not so well informed among the business community.
And so, webinars and training programs are springing up left, right and center to scare you with the horror of what is to come, and how the people running those programs can provide you with the panacea for all your GDPR woes. This is tantamount to paying a guy you just met in the pub for financial advice.
The effect of all this results in:
- The desensitization of the business community who start to ignore the true implications of GDPR, thinking they are just scare tactics
- The proliferation of ‘Bad Advice’ from organisations who have, at best, only partial understanding of what GDPR requires
- A false sense of security to businesses who think that by introducing a control and ticking a ‘compliance box’ they have nothing to worry about
- Overly fearful managers who believe they need to spend a fortune on introducing drastic changes in order to protect personal information
- A negative impact on the image and credibility of the genuinely experienced and qualified experts from the security and privacy community
Read Steve’s fantastic article to help you spot the warning signs that your so-called GDPR ‘expert’ is not quite the genius he/she claims.
The Rise of the GDPR Ambulance Chasers
DIGIT – Could the new regulation open the doors to opportunistic law firms who want to make a few bucks? We spoke to some experts…
Could the advent of GDPR give rise to opportunistic law firms looking to capitalise on non-compliance? DIGIT spoke to some of the country’s leading privacy and legal experts to find out what the future might hold…
Professor Bill Buchanan OBE told DIGIT: “My worry is that many companies are currently in the wrong place to actually properly implement GDPR, and that a radical re-design is required to make their systems ready for incident reporting and in the usage of encryption. The concept of users having access to their own data and in pseudo-anonymisation will often require a complete change in their approach.”
Early warning signs are already here. Supermarket chain Morrisons is facing the dock in the High Court after failing to prevent the data of 100,000 of its employees going online in 2014. Now, 5,518 former and current employees have been corralled by a single solicitor claiming compensation for the ‘upset and distress’ that the incident has caused their clients.
Martin Sloan, a Data Protection Lawyer at Brodies LLP, told DIGIT that, while ironic, it is entirely possible for no-win no-fee firms to seize the ‘opportunity’ that patchy approaches to info-sec present.
Sloan said: “Whether the increase in data breach incidents and greater awareness of data protection laws leads to PPI-style cold calls following any major data breach remains to be seen. This would be a somewhat ironic outcome, considering a number of PPI claims companies have been fined by the Information Commissioner’s Office for breaching the rules on SMS marketing and cold calls!
“However, for organisations holding information on large numbers of individuals, it’s easy to see how compensation claims for breaches of data protection law, could quickly add up. Such claims could be made not just for a failure to properly protect data from a security breach, but also for unlawful processing or a failure to comply with obligations in relation to transparency and accountability.
“Clean-up costs, compensation claims and reputational damage could dwarf any regulatory fine. For example, while TalkTalk was fined a record £400,000 by the ICO following its data breach, it is estimated that the overall cost to the business in terms of remedial action, clean-up costs, and loss of customers is between £50 million and £60 million.”
GDPR: Dumb Ways To Fail
Toby Stevens the director of the Enterprise Privacy Group, takes us through a comprehensive list of the supremely stupid things you can do to fail GDPR…
- Assume it doesn’t apply to you
- Ignore accountability – nothing to do with me!
- Don’t start yet, there’s loads of time until we need to do things
- Treat it as a one-off project. Easy. We’ll be done by next Thursday
- Demand CONSENT FOR EVERYTHING! (this one in particular is ringing a few bells right now)
- In the rush to GDPR compliance, forget all of the other laws you should really be sticking to
- Treat today (May 25 2018) as the ultimate deadline
Yes, they’re obvious, but that doesn’t mean somebody’s not going to do them! Click the links above to read the full articles.
A General Day, Post Regulation
DIGIT looks at a typical day for a data controller, now that GDPR is here. Pay attention, this could be you…
…Go Determinedly Plan Re-consent
General Digital Population Resigned
Get ‘Data Permission Removed’
God Damn Public Reprobates!
Google “Doctor, Prozac Required”
Greedily Down Pills, Rum…
…Gin, Daiquiri, Pimms, Redbull…
Gone! Desperately Pillage Refrigerator…
You can – and should – read the whole thing. It’s a sobering piece and one which every reader would benefit from.