With GDPR now being over a year old, those of us who were hoping that Brexit would negate the need for EU GDPR compliance have been disappointed. But a year on, how seriously are organisations even taking the subject?
Like many of us, you may still receive unsolicited calls from organisations trying to sell you their latest product, or wanting you to migrate your contract from your current provider. Are they in breach of GDPR?
If, like me, you try to take a tough stance, asking; who are you? Where have you found my contact details? And do you know you are in breach of GDPR regulation? Beware of hearing a plausible explanation!
I recently received an unsolicited call from an airtime provider who wanted me to switch to their latest super-fast 5G product – how did they get my details and were they in breach of GDPR regulation?
The answer is no. It transpires that I signed up to free Wi-Fi in a motorway service station and ticked the box to accept their terms and conditions, and buried away in the hundreds of pages of terms and conditions was an acceptance that the Wi-Fi supplier had my permission to pass on my personal details to ‘relevant 3rd parties’.
Should we even worry about GDPR?
So, with loopholes like this, how many organisations have been fined for breaching GDPR since the act came into force, and need we be concerned about GDPR at all?
After all, corporate governance teams across Europe, from the largest corporate to the smallest charity, have spent months preparing for GDPR and ensuring compliance. The answer is yes – fines are now being levied across Europe, from Portugal to Germany.
Let’s remind ourselves about the background to the legislation and what it actually means. The Act is intended to consolidate data privacy laws across Europe, to protect EU citizen’s privacy, and to penalise organisations who allow a breach of data privacy. You need to have clear permission from individuals if you intend to hold their data, or you need to show a legitimate interest for holding that personal data. In the case of a data breach, the fines that can be levied are potentially huge. The penalties can be as high as £10m or 2% of annual revenue for smaller companies, and up to £20m or 4% of annual revenue for larger firms.
So how can you mitigate against falling foul of the GDPR legislation?
The steps toward preventing penalties
The obvious answer is to ensure that your staff are aware of their responsibility for protecting your client data, as a starting point. You then have the unenviable task of ensuring your systems are as safe as possible from hacking and therefore data breaches.
When it comes to mitigating penalties for GDPR breaches, make sure that staff have signed up to all relevant policies and procedures, from GDPR policy through to InfoSec policy, and everything in-between. Being able to prove that you have policies in place, and more importantly, being able to prove that staff have signed up to your policies, ensures that you have as good a defence as possible, if and when the ICO comes to call.
One way to ensure the above is achieved is to implement a policy management software solution for holding all of your internal policies, procedures, working instructions, training material, et cetera. Ensuring full version control of your policies, publishing them to your staff, and providing proof of them having been received, read, and understood. The benefits in terms of compliance can be huge – and will help to ensure that potential GDPR penalties become fiction, not fact!