It would be easy to think of it the same way as the current UK Data Protection Act (it only matters if there is a breach/incident, it is too complicated to try to understand, we cannot afford to have someone committed to data protection, it does not apply to us). However, a big difference with the new regulation is that the risk of action from the ICO has moved from impact of a breach, to not being compliant. That’s right, once GDPR kicks in; simply not being compliant carries the risk of action.
A couple of the new requirements are things like getting clear consent to hold data, responding to requests about what data you hold on individuals and the right to be forgotten (deleting personal data). It is now a requirement to respond to requests within defined timeframes. Not having the appropriate controls or procedures in place puts employees, clients and the business at risk. However, the tricky part is to reach a balance of appropriate controls while not killing productivity.
Given the numerous differences from the current DPA, the potential affect to our reputation, and the nature of our business (holding data on clients, employees and prospects), we have decided it is vital for us to do everything possible to understand and be compliant to GDPR. The more we learn, the more apparent it becomes there are many boxes that need to be ticked. As a starting point, we are carrying out a GAP analysis to understand how our current policies and procedures compare to the requirements of GDPR. Because there are so many changes coming, we wanted to ensure it is being done correctly. This led us to using a proven and formatted approach.
As a business that holds personal data such as names, phone numbers, email address or sensitive information on clients, employees or prospects, there needs to be a decision on what your business is going to do about GDPR. It’s stick or twist again; wait until there is an incident, request or knock on the door from the ICO, or make your business more secure by updating your approach to information security and data protection. We see the benefits of the latter and believe it is going to make a world of difference for our clients and ourselves.
If you would like to understand more about GDPR in relation to your business, we would be happy to have a chat.