GDPR: What is it, and what you need to do about it
It’s hard to imagine that anyone in business hasn’t heard of GDPR. Early May has certainly seen a flurry of emails and letters sent to clients as companies rush to get their data protection ducks in a row before the ‘go live’ date of May 25th; surely burned on every businessperson’s heart. But how worried did any of us ought to be? With the help of Phil Denham of IT company HBP Systems, we lift the lid on the legislation, and poke a stick at what’s beneath…
Let’s start at the beginning. GDPR stands for General Data Protection Regulation. It’s a pan-European law designed to make sure every company does everything in its power to stop personal data about clients, customers, and suppliers falling into unscrupulous hands. And it goes live on May 25th.
HBP Systems’ Commercial Director Phil Denham says the regulation is a law, and as such clearly tells you what you can’t do. “But having said you’re not allowed to do something, it doesn’t go on to tell you what you should do instead. That’s something you have to work out for yourself,” he says. “And there’s the second problem – the answer isn’t the same for every company.”
He illustrates the point with a look at Health & Safety legislation. “Rules enshrined in legislation exist to get everyone home from work safely, no matter where they work. Our company is largely office based. As such we have no major manufacturing activity, no forklift trucks, no welding, and no overhead cranes. The detail of our response to Health & Safety legislation is therefore different from a company that undertakes all of those operations as part of its daily activities – but the same legislation applies to all of us.”
In just the same way, GDPR wants everyone’s personal data to be protected to the same high standard. Says Phil: “That means that asking ‘what should I do’ draws the answer ‘it depends’. It depends on the kind of business you have, and what sort of data you hold.
A company like ours, which is involved with the IT networks of more than 600 Humber region companies, must take a different approach to GDPR from that taken by the cash-only business model of the window cleaner whose only IT is a web site showing pictures of the windows he cleans. The same rules apply to both companies, but the response to them is very different. He has no data worth stealing; we have access to a great deal.”
Working out what to do to become GDPR compliant starts with taking a deep breath. Phil advocates asking yourself the question: “How easy would it be for someone to steal data from my network?” Part of that answer will be in the fact that you’ve been protecting data – or ought to have been – through the Data Protection Act of 1988. But just as Health & Safety legislation has been modified, so has that relating to data protection. “The threat isn’t just from cyber criminals; it’s as likely that someone will copy data onto a memory stick and leave it on a bus. People are invariably the weakest link in any IT system. Companies should take steps to prevent that.”
Adopt good business practice
Phil says a great many companies are already working to GDPR standards without realising it. “Not passing data to third parties, using it wisely, storing it carefully, keeping databases up to date, encrypting data; these are all things responsible companies probably already do,” he said.
No-one will come to check up on you and your data protection regime, but if you suffer a data breach, that’s when things could get tough. Fines for those firms which have been blasé are eye-wateringly large, and sufficient to drive companies to the wall – if the loss of data and subsequent reputational damage haven’t done it by themselves.
However, companies which can prove they have taken all reasonable steps towards effective data protection are far less likely to lose it in the first place. That said, there is another potential are for financial damage. Companies are increasingly looking to potential suppliers to prove their data protection is effective as part of their tendering processes.
Phil advises securing accreditation to one of two standards, even though there’s no mandatory requirement from GDPR to have either. The first is the Government’s Cyber Essentials programme; the second is third party certification to ISO 27001.
- Make it as tough as possible for anyone to get at the data you hold.
- Take steps to encrypt it.
- Don’t let employees have access to all if it.
- Don’t use the same password for everything.
- Do all these things because they’re good business practice, not because someone in Brussels has told you to do them. They’re telling you because it’s good business practice, not because there has been a sudden and dramatic change.
“Protect yourself – and other people’s data – as much as you can, and you’ll be complying with GDPR,” he added.