More than a year after its high-profile and somewhat controversial introduction, GDPR – or the Data Protection Act 2018 if you want to give it its UK legislative name – is now well and truly bedding in.
And you’re all registered with the regulator, the ICO (Information Commissioner’s Office), I assume?
Assuming that’s all in place, there are possibly a number of other aspects you might still have to deal with and work on. Like your Processor Agreements, your Data Retention Policy, your process for dealing with a Data Breach and more.
If my experiences over the last year-and-a-bit are representative, then many of you won’t have much of a clue what I’m talking about there!
Why should I care?
It’s a good question? Are you going to get caught out or punished for not having these things in place?
My response to that question is always consistent. You possibly – probably even – won’t. If you haven’t done these things and nothing ever goes wrong, you’ll almost certainly be fine.
The ICO are not going to come in and shut your business down or fine you a six- or seven-figure fee for not having done these things. Well, at least as long as you’re not a global multi-national earning millions in revenue.
However, is that the right and ethical approach for those you hold the data of, or the best practice for your organisation in the event of an incident? No.
My recommendation is to continue working through your GDPR to-do list, even if that means dusting it off from the bottom of that drawer it’s been placed in.
The ICO has started to fine the big companies heavily. Look at the fines of British Airways, fined an eye-watering £183m (1.5% of its global turnover) and Marriott Group, who got whacked for £100m. Had the Facebook/Cambridge Analytica case been post-GDPR then their maximum fine, an entirely believable punishment, would have been more than £1.3Bn! They actually got slapped for just £500,000 as the maximum available fine at the time.
The ICO are using their enhanced powers to great effect, but it’s not just big companies getting punished. Thousands of small businesses have been fined for not registering as Data Processors (you almost certainly are one if you didn’t realise). Others have been fined for not appropriately training their staff or sending emails to their customer database with all email addresses showing (how many of us have done that before by accident?). One staff member even got personally fined in Birmingham Council for inappropriately accessing records – would you want that to happen to one of your untrained staff members?
Don’t think you’re immune just because you’re smaller than the average business. If you do something wrong, and if you don’t install at least basic systems and processes to protect the data you hold, then you could well feel the force of the regulator. By putting a few basic steps in place, anything that does then still go wrong should be mitigated and ensure any investigation or punishment is light in its nature.
What should I do?
There are many things to consider, but each company is different depending on its size, location, customer database, how it does marketing and many other aspects.
The way I explain it to anyone is that you should think of Data Protection using two different analogies.
The Health & Safety analogy.
From a business protection point of view, think Health & Safety. It’s highly unlikely you’ll ever have a fire on your premises, or have someone slip over on a pool of water and slip and break a leg, but you don’t have open flames in your workplace or leave spills, do you? Just in case.
And in fact, what you’ll probably have is a fire blanket in the kitchen, fire extinguishers on the wall in the larger offices and a yellow hazard sign ready and waiting to put up in the event of a spill. Your electrical items will be tested once a year. There will be fire escape routes well signed and communicated.
Just. In. Case.
Do you think small businesses had that all in place 45 years ago when the H&S Act was first published and enforced? They didn’t. But after this was put in place, when businesses started having incidents – fires, explosions, whatever – and being made examples of it didn’t take long for everyone to realise they had to take this seriously to prevent:
a) the event becoming more serious than it might otherwise be, and,
b) to reduce the eventual punishment/action that you might be liable to after an incident.
Data Protection is heading down the same road. Put basic policies and procedures in place. Put preventative measures in place. Review your key documents and ensure all key staff are trained – just like you would for Health & Safety.
When you introduce a new piece of equipment or machinery into a factory environment, the engineering team or Health & Safety officers will do a validation check to make sure it’s safe to use. This goes as far as the kettle or toaster in works kitchens.
That is the approach – the mindset – now required for data security too. If updates are made, if personnel changes, if IT software packages are altered, you should review if there is any impact on your standard data protection.
Whether that’s marketing and CRM management, HR’s personnel processes or online payment systems, organisations are now FULLY responsible for keeping personal data secure.
And just like Health & Safety, check your mitigation plans – your processes and policies (or fire extinguishers and electrical items) – every year to help keep them up-to-date and ensure their suitability.
The Diamond Ring analogy:
In terms of what you should do in your day-to-day working life, I find this analogy always seems to get the best levels of understanding. People, whether they’re staff, customers, suppliers, prospects – whoever – are giving you information that is valuable to them, and would be valuable to others. If it was stolen, damaged, given away/sold or lost, then they’d have an issue with that.
They want you to use it for the purposes it is given for, such as fulfilling an order or a monthly service, but they expect due care and attention to be given in protecting it.
Think of each persons’ Personal Data you hold as being their diamond ring. Ask yourself these questions and then think about how you can put that into practice in your working day. Every day.
Would you leave that ring out on a desk whilst you go for lunch or leave it on the printer and forget it was there? Would you just shove it in a drawer overnight when a perfectly good lockable secure unit was available? Would you trust it to a brand new employee you’ve just employed if they hadn’t been trained in how to look after it?
Now think about how you handle your paperwork, your laptop, your HubSpot passwords? How many of you who work in a team have ever written the bank details of a customer on a post-it and left it for someone else to manage a task?
How many of you have sent a spreadsheet of customer details to an agency or mailing house, or left a USB stick with data in a coffee shop or on a train by accident? How many of you send bank details via an unencrypted file or email? If you hold sensitive personal data, is your laptop encrypted?
I’m not saying you need to lock up everything in sight in the office and have a top-of-the-range safe for everything. The ICO talks regularly of ‘proportionate and appropriate measures’ and you need to consider what that is for your business and the personal data you process.
My recommendation is to have a little notepad on you at all times for a month and each time you use personal data in any way (adding, editing, accessing, marketing to etc), scribble down any minor risks you can see with its security and then address them one by one.
Secure ALL your data like you’d like your own to be secured.
How would you expect your data to be handled by your bank or your GP surgery? Or by the online retailer you spend £10 with as a one-off purchase?
Treat other people’s data like you’d expect your own to be treated and you won’t go far wrong.