A post from Steven Foley, Advent IM Security Consultant…and not a moment too soon!
25th May 2018 and The General Data Protection Regulation will come into force bringing greater transparency, enhanced rights for citizens and increased accountability against data holders. This is not new news, it is a fact and has been on the horizon for 3 years.
The recent headlines and scaremongering within the media following the announcement of HM Government’s Data Protection Bill and the colossal fines of £17 million or 4% of annual global turnover that will be levied against all and sundry, may make for interesting headlines but they do not reflect the reality of the GDPR and what it will mean. Elizabeth Denham, ICO has stated that fines ‘will continue to be a last resort’. Of the 17,300 cases, the ICO concluded last year only 16 of those resulted in fines against the organisation. Although the increased fines will certainly sharpen the focus of many organisations there is also a suite of sanctions that the ICO may impose such as reprimands and corrective orders that may lead to the far more likely repercussion of reputational damage.
Whilst no one wants to be made the scapegoat, so long as you can demonstrate a sound and practicable intent to enforce data security practices you should not be fearful of EU/ ICO mega fines. The ICO in their Strategic Plan state that they ensure that those responsible for information have all the support and guidance required to ensure effective information management, so the anxiety should really be put aside and the realisation should be that at the heart of GDPR is the desire to ensure that the citizens’ rights come first in this digital age. If you actually read into GDPR it essentially builds on data privacy and security principles that organisations should already be abiding by, The DPA has been in force since 98 after all!
So why embrace the change? Well the media have obviously made the Stick issue the hot topic but what about the Carrot? As a business enabler, it may be worthwhile to consider the following;
- An initial outlay in resource may be necessary to ensure your information fundamentals are in order, but the long-term benefits of this could result in not only better legal and policy compliance but could also give an organisation a competitive edge. Boards who display to the public that they are committed to take citizens private data rights seriously, may well have a large impact on an individual’s choice of who they want to place their custom with in the long term.
- Clear, transparent and accessible information on how you process personal data will lead to public confidence in your organisation.
- A review of information holdings and correct storage and indexing of personal data will allow a much easier facility to provide individuals with information following data requests, to easily amend any data discrepancies with regard to an individual and easily identify and delete personal data where necessary.
- The commitment to adhere to the GDPR may also result in a review of data retention policies. This may lead to a realisation that organisations can reduce storage overheads and reducing the overall size of their digital footprint.
In conclusion, the GDPR and HMG Data Protection Bill will certainly provide the ICO the platform to hammer any cavalier organisation that is negligent in the manner that it processes, handles or stores personal data but this will be reserved as last resort. Organisations that are attempting to follow the intent of the regulation properly should have faith that this level of fine will not be brought to bear simply to make an example in the early days of implementation next June and July.
- Posted by Ellie Hurst
- On 11th August 2017
- 0 Comments