At one time, “Health and Safety” was pretty much the standard recourse for anyone looking for a decent excuse for not doing something. The arrival of GDPR must have been a real blessing for all the sloths out there, doubling their excuse repertoire as it does.
However, by and large, the General Data Protection Regulation, which came into effect one year ago, on May 25 2018, wasn’t met with cries of joy. Fear and dismay would probably be closer to the mark; fear of falling foul, and dismay at the workload and paperwork involved in implementing it or dealing with subject access requests. Yet more work that gets us nowhere and improves nothing. Or, at least, that was the perception. Weeks after the deadline, nearly a third of companies were freely admitting that they did not feel prepared (1).
At Datalynx, the protection of our clients’ data, and that of our employees, is paramount. Our specialism and reputation in data migration mean that we are responsible for the safe processing of highly sensitive data for high-profile clients across the United Kingdom and beyond. Our clients consistently report that they are confident in our ability to safeguard their information; they recognise the conscientiousness of our staff, know that they all have national security clearances and that our working practices and controls are carefully designed to minimise the risk of breaches.
And we should all know just how important this is, from government through major corporations to small businesses and right down to individual level: data breaches are now daily news with, in some cases, hundreds of millions of users’ personal data, including credit card details, passport numbers and addresses, being compromised. This affects us all, and all of us – however careful we are with our own security – rely upon the organisations we trust with our valuable personal information.
So it’s important. It’s important for our clients, for our staff and for our own reputation. And whilst downloading a GDPR policy template, using find and replace to insert our company name, and then filing it neatly away (never to be seen again) might have ticked some boxes, it isn’t likely to do much to improve our working practices.
Rather than looking for someone else’s solution – almost certainly a solution for some else’s needs, not ours, and quite possibly flawed in any case – a good first step for any company looking to improve its practice is probably the ICO (Information Commissioners Office) website, which contains a thorough self-assessment checklist (2). At Datalynx, we started with this in order to highlight any areas where there might be weaknesses and then focussed on ways we could improve (something that underpins our company’s approach to all its activities).
You need to think about how to avoid problems in the first place, of course. A Subject Access Request could involve data stored in many different systems – think email, audit and backups, for example – and the real headache is then likely to be locating it. Planning how this will be achieved is crucial, and, even where it’s likely to be an unusual occurrence, maybe be really brave and try a practice run!
Above all, take a positive approach and, even if you think you’ve got it all covered (that downloaded template has been carefully filed away since May 24 2018…), keep reviewing your provision. It may not have been top of our wish list but a responsible approach to the management of personal data, not keeping more than we need to (remember that huge Excel worksheet with the customer list from 2005?), making sure that our staff are confident with procedures and know how to respond to queries, goes a long way to compliance. In fact, effective implementation of GDPR can help us to improve our working practices, to maintain our reputation and to improve our attractiveness to prospective employees.
So, I’ll be lighting that single candle on GDPR’s birthday cake on May 25. Join me and take the opportunity to review the way your company manages its data, and help make everyone’s personal data just that bit safer. Oh – and it still comes in quite handy as an impressive-sounding excuse too, if you really get desperate!
Note about the author
Simon is Business Support Administrator at Datalynx. He has worked in the education sector for most of his working life before recently making a career change to IT. He has dealt with the implementation of GDPR compliance in both.
1 Nearly a third of organisations still not GDPR ready – Computer Weekly website, retrieved April 5th 2019 (https://www.computerweekly.com/news/252447321/Nearly-a-third-of-organisations-still-not-GDPR-ready)
2 Data Protection Self-Assessment – ICO website, retrieved April 11th 2019 (https://ico.org.uk/for-organisations/data-protection-self-assessment/)