While much coverage is given to the importance of taking action regarding data protection and the affects of updated regulation on business, the advice is often tainted with over-complication and has a sense of being the ‘current big thing’. It does not need to be like that.
But it is important. These changes will alter the way that we manage personal data in our possession and relating to others. We are moving to a norm where we will look upon this type of data in the same way as a doctor regards his or her patients’ medical information. This type of data is personal and not to be used or shared without a valid cause. Organisations can no longer simply share this data as they or their employees see fit.
That said, this message is being hijacked by many and over complicated to an extent that many organisations do not feel motivated to engage with their data protection obligations. I hope to simplify the understanding of this regulation and present it in a way that is not difficult to rationalise and need not necessarily be over expensive to implement.
Data Protection is here to stay, and it does not need to be hard to implement
The reality is this. The protection of personal data is really good for us as a society, it protects this intangible asset that we all have (our own personal information) and prevents organisations (e.g. insurance, social media, marketing, political, and welfare organisations) from using it in a way that is not to our benefit. This legislation is here to protect the way we live and should be implemented by many SMEs with relative ease.
While all organisations share a common responsibility to process Personal Data legitimately and to behave lawfully, there has been a rush to provide solutions that are often over complex for SMEs. However it can be strongly argued that a more company specific approach, tailored to the scale and nature of operations of that organisation, is likely to deliver a better result for all.
To be absolutely clear, the holding of personal data has become a liability and action needs to be taken to react to this, but let’s keep it in proportion. It requires a degree of effort and commitment, but should not be over cumbersome.
The real concerns for organisations are;
- To be compliant and,
- To avoid liabilities or harm.
You do not need to have a class leading administrative process, simply amend your current practices and paperwork to better respect the privacy of individuals and to protect yourself against the possible liabilities.
The objectives for most SMEs should be;
- Demonstrate high regard for the privacy of others throughout the business
- Do the basics well, have a legitimate purpose, obtain fairly, process fairly and destroy unnecessary data.
- Protect yourself; contracts, policy & process, and plan for critical events.
- Document all the above to be able to demonstrate compliance (this is a requirement in law).
This will enable a organisations to treat personal data in a manner that is consistent with the requirements of GDPR, stay compliant, and minimise the organisations exposure to harm.
Top 6 steps to avoid harm form Data Protection regulation
On a practical level, it is important for every organisation to;
- Know how this could result in liabilities to your organisation. Address these areas and you will significantly reduce risk to your organisation. Action is typically going to come from one of these three sources; employees, customers or people on your premises or IT breaches & cybercrime
- Know the ‘purposes’ for processing personal data
- Re draft your policy and process documents accordingly
- Amend your contracts – staff, customers and suppliers
- Prepare for the possibility of a breach or access request event
- Provide training for employees exposed to the personal data of others
These six actions should be taken in the context of the scale and nature of the business. It does not need be overly complex, but does need to be sufficiently detailed to be adequate for purpose. This will put an average SME in great shape to be compliant with GDPR
And there’s more
We need to keep data protection obligations in proportion to enable all organisations to engage wholeheartedly. This will help us all to embed the principals of Data Protection into our organisations, stay compliant and deliver on the objectives of the regulation.
I will be publishing eight more blogs in this series
- how to become compliant with ease and the importance of understanding the different ‘purposes’ that you have for the processing of personal data (this is the key),
- Top tips to stay compliant
- Managing the risks – Breaches, Access Requests, DPC (Data Protection Commissioner) investigation, and where these risks are most likely to come from.
- IT and cybersecurity is only part of the solution, but a critical one.
- The importance of a good data retention policy and the destruction of unnecessary data
- How to embed Data Protection into the culture of your business.
- Appointing a Data Protection Officer …. do I need one?
- How to manage critical events
Was this page helpful?
If so, tune in for the next piece, or share your thoughts.