The 25th May 2018 is fast approaching. This is when the new General Data Protection Regulation comes into force. The focus of the regulation is to strengthen the rights of us as individuals. Individuals who have grown accustomed to sharing a bewildering amount of our personal information online and across so many areas of our lives. The fact is that barely any of us have time to truthfully put the tick in the box that says “I agree that I have read and understood… blah blah blah.”
Over the last 20 years since the most recent update to the Data Protection Act the world has changed significantly, back in 1998 the Internet was only just becoming an accepted space for people to do business, in fact many businesses asked “why do we need a website?”, telecoms companies raced to deliver the infrastructure, and then more and more companies set up websites – companies like Amazon, Google, Facebook, Instagram… Governments started placing their trust in the emerging technology, to save time, and reduce operational costs… meanwhile, criminals seized upon another opportunity to exploit the technical and social vulnerabilities, stealing identities, performing lucrative non-violent “victimless” crime. For a while fraudsters had their hay day, but this new rules place extra responsibilities on organisations handling personal data.
Almost weekly, there would be news reports of data breaches, scams and security hacks. With the increase in the availability of data, the quantity of information being lost (left on trains), stolen (mobile smart phones and laptops being snatched) and acquired (hacked by competitors, thieves, or enthusiastic amateurs grew at staggering rates – billions of records being exposed at a time.
You’ll find a lot of information online about the new GDPR, a lot of it is directly to you and is available for free, simply by reading the EU regulation, or viewing guidance from the Information Commissioner’s Office – these are the two authorities. There is a wealth of hot air, scaremongering and hypothetical information available from band-wagoneers. Every niche service wants a piece of the action, lawyers, hardware companies, software companies, there are some tempting self-service compliance tool-kits – none of which can solve your compliance programme or project as a stand alone solution, and do you have time to enquire about them all, what happens if you make the wrong choice?
For the last 18 months Deciduous Partners have been assisting organisations with the practical steps they need to take to achieve compliance. There is no doubt, It is complicated, but a pragmatic approach and careful consideration of your existing and proposed operations will make the way to compliance quite clear. We have gained the experience needed to guide you through. If you are starting now, it is unlikely that compliance can be achieved before the deadline, but you will have a plan to work to and we will be on hand to help.
Worryingly, a recent FSB survey discovered that even now, only 8 out of 1000 survey respondents believed their organisation would be compliant before the May 25th deadline, and alongside the initial inconvenience of a data breach risk facing significant fines and damage to your brand reputation.
In addition to initial support to establish your GDPR compliance programme, we can provide the outsourced services of the Data Protection Officer, with the ability to handle your Data Subject Access Requests, conduct Privacy Impact Assessments, co-ordinate responses to information security incidents and Personal Data Breaches, and act as a buffer providing an independent advisory role and liaise with the relevant Supervisory Authorities, Media as well as those affected by a breach.
Please do get in touch to discuss your specific situation in complete confidence.