Are you still sweeping GDPR under the carpet?

14 Jun, 2018

Are you still sweeping GDPR under the carpet?

If so, don’t be embarrassed, you’re not on your own. In March it was revealed that a large proportion of businesses were either only in the early stages of preparation or hadn’t even started.

Whilst the ticking time bomb counted down to 25^th May 2018, this was not a final cut-off.  GDPR is an ongoing matter that your business will need to continually comply with so it’s not too late to start your preparations.

Firstly, we’ll look at what it is, secondly at the ICO Checklist and finally how we can help you comply.

Not sure what GDPR is?

The General Data Protection Regulations (GDPR) is a beefed up version of Data Protection. It has been a regulation for a while but became legislation on the 25^th May.  If you fail to comply, you run the risk of big fines from the Information Commissioner’s Office (ICO).  The potential fines for failing to comply with GDPR could reach up to €20 million or 4% of the group worldwide turnover (whichever is the greater) against both data controllers and data processors.  You can find out more about GDPR on the ICO website.

To put these fines into perspective, The University of Greenwich recently became the first university to be fined by the ICO following a ‘serious’ security breach involving personal data. As this fine was issued under the Data Protection Act 1998, they were only fined £120,000.  Had this been under the GDPR, the fine could have been considerably higher!

So, if you haven’t even thought about GDPR then what are your next steps?

12 Step Checklist

The ICO issued a detailed 12 steps in preparing for GDPR but here’s a quick run through:

1. Make sure key people within your business are aware that the law has changed.
2. Conduct an internal audit to find out what personal data you hold, where it came from and who you share it with.
3. Review your current privacy notices.
4. Check your procedures to ensure they cover all the rights individuals have.
5. Update your procedures and plan for subject access requests.
6. Identify the lawful basis for you processing the data.
7. Review how you seek, record and manage consent.
8. If you hold data on children, consider your procedures for verifying ages and obtaining parental or guardian consent.
9. Review your procedures for detecting, reporting and investigating a personal data breach.
10. Adopt a privacy by design approach and carry out a Privacy Impact Assessment.
11. Assign a Data Protection Officer.
12. If you operate in more than one EU member state, document your lead data protection supervisory authority.

Reviewing these steps, it’s understandable why GDPR has been so daunting.

How we can help

If you need extra support, we can help in two ways:

1. GDPR Training  

We are running a GDPR Bootcamp course, helping you to prepare for GDPR and giving you a better understanding of the evidence you will need.

This course offers you the opportunity to work through your own organisations unique GDPR needs. With our trainer’s support, you’ll leave with documents prepared and a specific action plan for you to implement.

To book on to our next course, please visit our website.

2. GDPR Consultancy  

We appreciate that every business is different and each will manage their data in different ways. We can therefore arrange for one of our GDPR consultants to provide one-to-one guidance tailored for your needs.

To explore this option, call us on 01905 670303 or email info@isoqsltd.com.

How ISO 27001 can help

The Cyber Security Breaches Survey 2018 found that some businesses have used GDPR as a leverage with management to improve their cyber security. If this is something you’re considering, it may be worth implementing the ISO 27001 Information Security Management Standard.

Those businesses who have ISO 27001 are already half way to achieving GDPR compliance. This standard helps you effectively manage risks to the security of your confidential information, both electronically and physically.  More information on achieving ISO 27001 Certification can be found here.