What GDPR means to companies

Author: Gary Hibberd

Date: 3rd August 2020

 

If you’re one of those organisations still wondering what GDPR means, let me start by saying that it simply means; Giving Data Proper Respect. 

Is that so difficult to understand? Of course not. But why then is there so much confusion about it? Allow me to explain why, and then give a more meaning answer to the central question posed by this blog.

 

The GDPR; Feel the Force…

When the General Data Protection Regulation (GDPR) came into force on the 25 of May 2018 there was a collective ‘sigh’ from the business community. I’m sure I felt the way that Obi-Wan felt in Star Wars when he proclaimed,  “I felt a great disturbance in the Force. As if millions of voices cried out in pain.”

From 2016, companies of all sizes seemed to fall into one or more of the following camps;

– Brexit means we don’t have to worry about it.

– What? GDPR? Don’t worry we’ll sort it when it comes into force

– GDPR? OMG… Burn EVERYTHING! We’re going to go out of business!!

– GDPR? We don’t care. Its just bureaucracy gone mad.

The situation wasn’t helped by the business community that seemed to spawn more GDPR ‘Experts’ than a game of Mario Cart on fast-forward!  Everyone from IT Consultants to lawyers updated their LinkedIn profiles to proclaim they were GDPR Consultants/Experts and could make you GDPR ‘compliant’ (hint; there’s no such thing).

There was a lot of ‘snake oil’ being passed around from 2016 to 2018, with peddlers selling FUD (Fear, Uncertainty and Doubt). 

For almost two years I was taking calls from panic-stricken companies, stating “Help me. You’re my only hope!”. My response was always, “Please don’t panic… it’s really not that difficult.”

 

So, what does the GDPR actually mean to companies?

Before answering that simple question, let me remind everyone that the Data Protection Act 1998 had been around since, well, 1998. That’s 20 years from the year when the GDPR came into force. The DPA1998 had eight principles to follow. The GDPR has six (seven if you count the principle of Accountability).

What GDPR means to companies is that it is now easier to demonstrate you’re a trustworthy company.

If you read no further in this blog, re-read the above line.

Working your way through the GDPR with proportionality and appropriateness in mind, you can demonstrate to your customers, clients, employees, and other stakeholders that you are an organisation that respects them and their privacy.

The GDPR means companies had to clean up their act in relation to the control and processing of data. 

 

In real terms; What does it mean?

If you’re new to the GDPR let me focus your attention on the six core principles, and therefore expectations of the regulation (remember it’s the LAW. You don’t get a choice to adhere to it or not!)

Article 5 of the GDPR states that Personal data shall be;

a) processed lawfully, fairly and in a transparent manner

Please have a lawful reason to process the data (clue; “To make money” is not a viable response). You need to be fair and be transparent about why you’re processing Data and be open about who you’re sharing it with.

 

b) collected for specific, explicit and legitimate purposes

Please be clear about why you’re collecting Personal Data and only use it for legitimate purposes.

 

c) adequate, relevant and limited to what is necessary

Please don’t collect more data than you need.  E.g. If you’re a hotel, do you need to ask for my Date-of-Birth?

 

d) accurate, and where necessary, kept up to date

Please keep Data up to date. (is that too much to ask?)

 

e) kept in a form which permits identification of data subjects for no longer than is necessary

Please only keep the Data for as long as you need. This will change, based on the reason for processing and what the Personal Data is.

 

f) processed in a manner that ensures appropriate security of Personal Data

Please protect the Personal Data you’ve been entrusted with, by putting in place appropriate security controls (organisational and technical).

 

Of course, there is a lot more to the GDPR, and I would urge you to read it or speak to someone who has. It explains some of the above and provides some great guidance. Is it an easy read? No. But it’s certainly not impenetrable.

 

Fear leads to the Dark side

The GDPR really isn’t something to fear.  Simply put, you must look at your practices and determine how you satisfy these six principles.

If you’re not sure, then take the six principles and ask those around the Board table, “How do we demonstrate that we are [insert principle]”.

If you feel that the technical and operational measures you have in place are appropriate, for the size and complexity of your company, and the kind of Personal Data you’re collecting, then you’re doing great. 

If you have gaps in your knowledge, or you feel you should be doing more, then you have some work to do.

(hint; you need to ask these questions continually. Perhaps add them to your monthly Board meeting agenda?)

 

Conclusion

The GDPR means companies have to demonstrate how they are Giving Data Proper Respect. It’s not difficult. How you demonstrate this is another topic, and I would urge you to get help if you need it.  This can mean getting specialist advice and guidance or buying a book. If you’re a company employing 500 people and processing thousands of Personal Data, then the former would be appropriate.

If you’re a small business, employing just ten people, then perhaps buying a book is more appropriate for you.

The excellent ‘GDPR for Dummies’ written by the very wonderful Suzanne Dibble is a great resource. Don’t be embarrassed! I’ve been a Data Protection Officer for twenty years, and I have a copy on my desk. It’s written by experts in Data Protection and Cybersecurity and demystifies the GDPR brilliantly.

Remember that complying with the GDPR isn’t a choice you get to make; It’s the law. Do or do not. There is no try.

 

Good luck. And remember, the Force is with you. Always.