So, the most spoken about piece of legislation in many years has finally arrived. GDPR (General Data Protection Regulations) is here and we all have to readjust to a world where the need to handle data more carefully is more important than ever.
It is fair to say that the build up to GDPR was like nothing we had ever seen before. What was clear though was the huge amount of anxiety and uncertainty it brought to businesses large and small. However, as it is the biggest and most complex change in data regulations in a generation this is not altogether surprising.
Now that the 25th May deadline has come and gone, the majority of firms are still dealing with the new landscape – signing Data Processing Agreements with suppliers, implementing tighter controls on data, and educating staff.
What we are also seeing is a more measured discussion about GDPR(General Data Protection Regulations) aided by the Information Commissioner’s Office (ICO). After all, the focus on huge fines for data breaches in the lead up to GDPR, whilst understandable seemed to overshadow the fact that GDPR is here to help us all as citizens in an ever changing world. The ICO has even gone out to say that it is committed to guiding, advising and educating organisations rather than making an example out of them by imposing maximum fines.
The public will continue to learn and understand their rights regarding the data companies hold on them.
Now that many businesses have opted for data minimisation – reducing the information they hold on individuals, it is all par for the course to prevent fines running into millions, but more likely, regulatory action that could include the ICO asking firms to desist from processing personal data, while they implement remedial measures.
So now over a month on what are we seeing that we weren’t previously? I think, above all we are seeing more of a realisation that GDPR is not a one off event but a continual and gradual process. Many companies are still coming to us for help looking for reassurances and knowledge to ensure their businesses are not under threat.
However, it is still very much early days. What has to be remembered is the general public have not been as aware of GDPR as businesses. The public will continue to learn and understand their rights regarding the data companies hold on them.
For instance, there has been some belief, in the wider media, that previous customers could flood firms with so-called Subject Access Requests (SAR) as increased awareness of GDPR takes hold. This is yet to transpire, but as I said, it is early days.
However, it can’t be under-estimated what a huge burden for businesses this could be for firms who have to compile all the information should this happen including those who still hold customer data in paper application format, collected many moons ago! It is wise though that companies consider what information they do hold as businesses will be required to detail all data held in reports and that could be extensive.
Of course, another real fear for firms comes from proactive privacy campaigners/vigilantes who profess to pick targets at random, fishing for group litigation claims, and alerting the ICO to compliance failings. Also, the ICO itself has selected certain sectors for investigation, e.g. social media, retail banking and mortgages.
In the face of this concern, firms can’t rely on the policies, processes, procedures and technology alone that they’ve put in place in the run up to the new legislation.
They cannot rest on their laurels and need to appreciate that ultimately their staff are the ones who will create a ‘Human Firewall’ that protects them against GDPR breaches.
We at Skillcast call this the People Dimension and it wise to appreciate that its people who are going to be tackling GDPR’s fine detail on the front line, so by supporting them, firms stand a better chance of avoiding breaches and if the worst does happen, they can respond well when they do occur.
The simple fact that GDPR is here to stay has to be taken on board by business. Ensuring that staff are educated, and adequately trained and prepared to comply with GDPR will prevent many sleepless nights.
Of course, staff compliance is sometimes seen by businesses as a drain on resources. Partly, because many firms still use classroom training as the answer, but that can be expensive and fail to enthuse staff to comply with regulations. Digital learning has come a long way with the use of video and interactivity is often an inexpensive and cost effective way of engaging with the staff, without it becoming overly onerous.
It is very important too that learning is relevant, and that employees choose the best time and best method for them to learn. There are a wide variety of forms – from micro-learning videos, interactive scenarios, e-books, podcasts, articles and research reports to informally generated blogs and vlogs so engage them in a way that they are prepared and able to fully comply and deal with any threats on a daily basis.
Firms need to support their staff with just-in-time learning, which ensures that knowledge is tailored as precisely as possible. After all, facts that we are told that are not relevant are quickly forgotten and a waste of the valuable resource of time.
So, we’re still very much in the infancy of GDPR (General Data Protection Regulations) compliance but what is clear is the need for businesses to realise the importance of the people dimension.
Businesses which build and develop a strong team, with up to date compliance training will have a competitive advantage over their rivals who do not adopt this mind set.
The topic of GDPR is very much here to stay. All businesses, for the sake of everyone in the organisation need to realise this and embrace it.