GDPR. What is it? And What do I need to do?
It’s not long now… No. Not Christmas! I’m talking about the 25th May 2018! The date when the new General Data Protection Regulations (GDPR) comes in to force. Now I realise that this topic may be sending you crazy or sending you to sleep! But please stick with me… This is important.
If you aren’t aware of the GDPR, I have to ask where have you been?! Because these days it seems if you can open a window and throw a rock, you’ll hit a GDPR expert! But if you are new to it, let me summarise what it is by quoting the Information Commissioner, Elizabeth Denham:
“The GDPR is the biggest change in Data Protection laws in over 20 years. We’re all going to have to change the way we think about data protection.”
Now I could go into how this affects you business (which is profound). I could talk about how this affects your employee records (which it does), but I prefer to focus on you. Because this affects you, your wife, husband, partner, children, parents, grand-parents, friends and extended families.
The GDPR affects every EU citizen and how their data is processed (ie. Collected, shared, stored, managed and destroyed). So before you think “This doesn’t affect me”, it does. Both personally and professionally.
What do I need to do?
Much has already been written on the GDPR and what organisations should be doing, so whilst this short blog won’t go into detail, I do think it’s important for us to provide some advice. So here it is:
Step 1. Education
Depending where you’re starting from, you need to know more about the GDPR. Seek advice. Go to seminars, Ask questions (of professionals and others in your peer group).
Education also means talking to your business, because they need to be educated too. Set up a ‘GDPR Working Group’ to look into what needs to be done.
Step 2. Understand
Identify the data you hold and where it is. This isn’t as difficult as it sounds (yes, it can be complex but not difficult). Consider each area of your business and ask:
- What kind of personal data do we hold in this area?
- How much personal data do we hold in this area? (e,g, 10,000 CVs? Or 75,000?)
- Where is this data held? (e.g. in emails? In a CRM? On a Cloud?)
From here, you’ll start to build a picture and a myriad of other questions will surface.
Step 3. Don’t Delay
Procrastination is the thief of time… If you delay you’ll hit 25th May 2018 and won’t have achieved anything. Start today. Start small. Look at you own data processing practices (both personal and professionally) and identify the ‘unknowns’, and start filling the gaps.
There’s no escaping 25th May, just as there’s no escaping 25th December. You know it’s coming. You don’t want to be left embarrassed by a lack of action (on either day!), because if you do you may find your reputation takes a hit (not to mention the financial penalties).
At the end of the day, the GDPR isn’t revolutionary, it’s evolutionary. At its heart GDPR is simply about Giving Data Proper Respect. That’s something we should all be doing, right.
Agenci are an international cyber security consultancy. Specialising in ISO 27001 certification, GDRP, managed security services and cyber security.