Where do you get your GDPR information from? Legal advisers? Data protection practitioners? LinkedIn? Or maybe from vendor blogs trying to make out that they have the ‘silver bullet’? We hear a lot of misconceptions in our consultancy work, so I thought that I’d cover some of the common mistakes.
“We’re too small so GDPR won’t affect us”
We are regularly told by sub 250-employee organisations that GDPR will not have any effect on them and they don’t need to do anything. These organisations have typically not done anything to be compliant with the Data Protection Act 1998 (DPA) so don’t see the GDPR as an issue. I’m afraid this is incorrect – GDPR will apply. The only area of difference is when it comes to record keeping.
Organisations with fewer than 250 employees do not need to record all processing activities or make note of things like the amount of time it will retain data or with whom it is sharing personal data. But this is not an absolute exclusion – it doesn’t apply where “the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data”.
Another issue for SMEs will be where they supply larger organisations with goods or services. Those large organisations will no doubt expect their suppliers to meet specific GDPR obligations, especially if they are a data processor to their customer. This may well include detailed record keeping.
So, the key takeaway is GDPR does apply to small businesses.
“We’re going to wait and see how things change due to Brexit”
In fairness, this area of misunderstanding is becoming less common and we expect it to wither even further given the announcement of new data protection legislation in the recent queen’s speech.
This video from Information Commissioner Elizabeth Denham makes it clear that Brexit will not affect the enforcement of GDPR in the UK. Also, don’t forget that GDPR is under a year away and Brexit just under two. There is also the fact that we transact with Europe on a regular basis and have EU Citizens (I’m thinking post-Brexit here) living and working in the UK.
As such GDPR is going to apply to many organisations irrespective of our data protection status after Brexit.
“What am I meant to do with Business Cards then?”
There is always one person in every session I run who asks about business cards and email addresses. “How can you gain consent for marketing or processing the personal data from a business card and does business information like a work email address even constitute personal data?” is the common query. Yes, business card information is personal data. It might not be the highest risk personal data that you process but it is still personal data and you are still processing it. There is still clarity required around lawful use of business information and sharing of privacy information (such as through privacy notices) but there are steps that you should be taking now.
This starts with recognising that business card information is personal data and the 6 principles and accountability obligations apply.
“Our solution will make you GDPR compliant!”
Hogwash! There is no technology or solution that will make you compliant. Whilst your compliance activities and the steps you take to meet your obligations can be technology enabled there isn’t a silver bullet. There are some good enabling technologies out there but whether they are right for you depends on your use case and the nature of your organisation. The chances are they will help you mitigate a risk but they won’t make you compliant. A lot of vendors are talking up their GDPR credentials as they see a sales opportunity. Sadly, the good messaging from specialists is getting lost among the noise. We start every conversation by making it clear that we don’t sell technology so as to set ourselves apart from the noise and the scepticism that is developing around it. We do partner with technology resellers who offer our services, but are careful to work only with those who know not to lead with technology as being the answer.
If technology isn’t the answer then what is? A great starting point is to map your data and then overlay the 6 data protection principles set out at Article 5 of the GDPR. From this you’ll start to identify gaps that you need to address. You can absolutely get help with this and also with the data protection practices that you need to apply to prepare for 25th May 2018. We, for example, can help with a readiness assessment, developing a data protection management system, implementing suitable practices and improving employee awareness. We can also help with information security specialist advice in the context of GDPR and more widely.
In any event, take suitable advice from a data protection practitioner, maybe even a data protection lawyer and perhaps even both.
Author: James Robson
James is an information governance consultant with Cybercrowd. He specialises in data protection, GDPR readiness, ISO27001 implementation and information security.