Part 1 - What is GDPR?
After four years of preparation and debate the General Data Protection Regulation (GDPR) was finally approved by the EU Parliament on 14th April 2016. It comes into force on the 25th May 2018. That’s a few weeks away. It will have a significant impact on any organisation in the UK that handles personal data.
Last week I phoned my electricity supplier. Nothing unusual in that, but this call was a complaint about the way the supplier had handled my personal information. There’s no doubt – they messed up pretty badly. However, being a forgiving soul, I worked hard at remaining calm, not yelling and being polite throughout the conversation. It was during our chat that I realised the person I was speaking to happened to be the Customer Service Manager for the entire company (a big, multi-national utilities supplier). Towards the end of the call I said something like “You’ll be a lot sharper when GDPR kicks in I guess”. There was a pause – the response was surprising. The manager said “What’s GDPR”?
The manager had no idea what GDPR was. She had never received any briefing about it and was totally shocked when I explained what it was, and what it means. If she doesn’t know, lots of other people won’t know.
It’s important to remember – GDPR is here – we are supposed to be compliant already. It’s not going to go away. Brexit will have virtually no impact on it. It is going to require constant effort, robust processes and focused attention. Failure to comply will itself be a breach – there doesn’t have to be an incident! The potential consequences of failing to meet the Regulation could be massive.
If you and your people are unprepared, you risk potential fines that pose an existential threat – your organisation could be wiped out. And as with most points of law, ignorance is not an excuse.
This blog will, over the next few weeks, set out some ideas as to how you might meet this threat – reducing risk and limiting the potential impact. Whilst the consequences could be savage, what’s needed to meet GDPR are rarely complex nor necessarily require huge investment in equipment and facilities. For the most part, what’s needed involves knowledge, understanding, communication and (here’s that phrase again) focused effort.
The GDPR Awareness course ‘Making Data Privacy Matter’ from APMG can act as a foundation. It provides the initial knowledge and understanding needed to begin addressing your response to the new Regulation. It doesn’t have all the answers, but it is the first step and provides you with a GDPR checklist to start with. It reflects the steps suggested by the UK Information Commissioner’s Office to address GDPR. It provides clear explanations of the concepts underpinning GDPR and provides examples to further clarify them. The course is for everyone – senior managers, full-time staff, security practitioners and regulatory implementors. GDPR needs to be addressed at a fundamental level – everyone (yes that’s you) will have to develop a data-privacy mindset and help your organisation develop a data-privacy culture. Anything less will leave you exposed and at risk. You and all your people need to be able to answer the question – “What is GDPR”?
Angus McIlwraith - APMG, CCP Assessor
Senior Security and Information Risk Advisor (CCP)