General Data Protection Regulation (GDPR)
Is General Data Protection Regulation (GDPR) another Bandwagon?
We were told in 1999 that planes will fall out of the sky, hospitals will shut down and maybe, just maybe our belly buttons fall off if we don’t have all IT equipment tested for the “Millennium Bug”.
Anyone who missed the “Millennium Bug” it was the idea that system clocks would falter on the changeover from 23:59 on the 31st December 1999 to 00:00 on the 1st December 2000. IT resellers and alleged experts climbed on board this Bandwagon of hype and hysteria to make a few quid.
I am pleased to say that we at Computer Network Services Ltd stepped away from this and took a more pragmatic approach to General Data Protection Regulation (GDPR) which I believe has stood in good stead with many clients.
Can we take such an approach to General Data Protection Regulation (GDPR)? Well no not really. General Data Protection Regulation (GDPR) is designed for the protection of you and me.
A reference I have used recently is the case of the 14-year-old boy who sent an inappropriate photo to another pupil at his school. He was not arrested or prosecuted however authorities wanted to retain the record under “Obscene Publications”, something which is intended to protect us. Remember the boy was not arrested or convicted so why does the authorities need to retain this record. A record which could appear on a CRB/DBS report disqualifying him from employment or other opportunities later in life. All because of the action of a child who was, as his mother stated, “he was young, he was naive, he was silly”.
This is a perfect example of what GDPR is and will be about. The boys actions were undoubtedly not considered or planned in any way. It fell into the category of “seemed like a good idea at the time”. Should he potentially pay for his mistake later in life through the release of information which may not be relevant to his character in the future.
This falls under “The right to be forgotten” element of GDPR. Information retained is incorrect, inaccurate or irrelevant then it must be destroyed. This is pertinent to businesses and specific to all contact be it employee, customer, supplier or that unsolicited CV emailed to you.
Back to the Bandwagon.
“Cyber Security is Key”
“Data Protection is the answer”
“Data Recovery is paramount”
I could go on, if you were to ask my wife I certainly do, however the answer to all the above is yes but not each individually on their own. These and more need to be wrapped in a philosophy and company ethos which protects the individual. In summary “A Duty of Care” to all you and I deal with requiring to retention of information about them as individuals but must be relevant to the interaction or relationship.
What is relevant and what is irrelevant?
Our records show that David Fox works for Widgets Ltd. At the following address. His email is firstname.lastname@example.org. Born on the 1st April 1980. Mary, David’s wife of 19 years is an Accountant. They have three children Mathew, Mark and Joan. David loves a round of golf at the weekend and is a member of his local Round Table.
I’ll let you work that one out and identify what is pertinent in our business relationship.
GDPR will stop or control the collecting of information which has no value to our business relationship. If we do collect this information, and have a valid reason for it, we need to protect it. This is where some or all the above applies.
It is very well having an IT infrastructure as tight as a drum if any employee of my company can see, copy and distribute that information at will. Policies and controls need to be in place to protect the information and specifically the individual, a “Duty of Care”.
Here at Computer Network Services Ltd we do not profess to be experts in creating policies and controls within a business however we can make your IT infrastructure “as tight as a drum”. We have teamed with h2 Information Risk Management Consultants Ltd to take a more pragmatic view of GDPR and approach the imminent regulation.
We recommend an initial consultation to firstly bust some myths surrounding GDPR.
- Fines of £17 Million (€20 Million)
- You must report personal data breaches to the ICO
- All details need to be provided as soon as a personal data breach occurs
Review the key principles of the regulation and how they will impact your business.
Measure your current position against an internationally recognised and respected metric.
Create an action document to improve data protection.
You need to adopt procedures which are cost neutral and simple to implement.
Disseminate and train all staff in the new procedures.
Why not give us a call today on 01480 414143 or get in touch to arrange a consultation.