Wanted: Super heroes to race to the rescue, as the clock ticks towards GDPR Day.
But be warned: there’s no time to lose, as the rescue mission must be in place by May 2018.
Okay, so that might be over-egging it a bit, but I bet we’ve grabbed your attention! And, behind the wordplay, there’s a great deal of truth in the message about the challenges organisations face in getting ready for the biggest shake-up in data laws for a generation.
GDPR: A quick recap
Those of you in the UK might have seen that GDPR has made it to the top of the BBC TV news and website. The media is waking up to it and the BBC article of 7 August 2017 explains much of the nitty gritty in simple terms.
The EU’s General Data Protection Regulation (GDPR) – comes into effect on 25 May 2018. All organisations within the EU must comply with the new regulations, but the impact goes way beyond the EU’s borders and will be felt worldwide.
Organisations based outside the EU but that offer goods and services to individuals within the EU, must also comply. And Brexit won’t make any difference: The UK Government has signed up to GDPR, irrespective of Brexit.
In the UK, GDPR replaces the Data Protection Act of 1998. The new laws introduce tighter controls on how organisations store and use personal data. This applies to both manual and automated storage and usage, and measures will have to be taken to ensure confidentiality.
The rights of individuals are also tightened. They have a right to know how you’re using their data and their consent has to be unequivocal. Even sharing certain information with colleagues or forwarding emails could be a potential breach.
Online identifiers such as IP addresses and cookies will be regarded as containing personally identifiable information.
By law, some organisations will have to appoint or assign a Data Protection Officer.
The financial and reputational repercussions of a breach could be significant: Up to 4% of global turnover or €20 million, whichever is higher, for a serious breach, and up to 2% of global turnover or €10 million for failure to notify a breach.
In the UK, the best resource for updated information on GDPR is the independent Information Commissioner’s Office (ICO).
The value in getting your data house in order should be obvious, not just in clearing out old information, but on building trust with everyone you have dealings with that their sensitive data isn’t being misused. So it’s in everyone’s interest to get this right.The financial and reputational repercussions of a breach could be significant: Up to 4% of global turnover or €20 million, whichever is higher, for a serious breach, and up to 2% of global turnover or €10 million for failure to notify a breach.
The role of L&D and compliance
You should be taking the lead. One of the first jobs is to review all internal data protection policies and training. Most, if not all, employees will need to know about the new rules and will require some level of training. L&D: This is your time to shine.
Another priority (which should have been completed before now) is an audit of all personal data stored. Any out of date material needs to be securely removed. Compliance leaders: Step up to the plate!
If you’re not getting the support you need, then speak to your managers. Some organisations are investing in GDPR officers to help. According to ISC2, the certifying body for more than 123,000 cyber, information, software and infrastructure security professionals worldwide, one company has tasked 37 full-time employees to work on getting them GDPR-ready.
Other organisations, however, aren’t taking GDPR so seriously and are destined to miss the deadline. And guess who’s to blame for that …
It seems that where the response has been sluggish, it’s likely to be down to the C-Suite.
In June 2017, ISC2’s GDPR Task Force reported that “we are two-thirds into the journey with more than 50% to complete before the finish line”. One of the biggest issues is insufficient engagement from Boards and a lack of understanding of the amount of work and budget involved.
And, in the BBC report, the national chairman of the Federation of Small Businesses, Mike Cherry, said most smaller companies are in the dark about what the law means for them: “They simply aren't aware of what they will need to do, which creates a real risk of companies inadvertently facing fines.”
ISC2 have now issued a wake-up call: “Many businesses are still stuck in the initial stages of establishing their inventories of information, or not yet having support from the board and business units of their organisations, meaning that they are running out of time to prepare for 25 May 2018.”
In order to get the support you and your organisation’s staff need, L&D and compliance personnel might well have to use their persuasive powers on their bosses. And when 25 May 2018 arrives and your organisation can tick all the GDPR boxes, with fully compliant systems and a trained workforce, you’ll be able to remind them who it was who saved the day!