01 November 2017
When contemplating content for this blog, I try to think about things that inspire me... so, to be honest data protection doesn't often feature high on my list. Okay, it doesn't feature at all.
But it really should do. You don’t have to think too hard to recall horror stories of large corporations facing heavy fines for data protection breaches - from TalkTalk to Morrison’s to Equifax; it’s an issue that does not discriminate
And so this morning, I revved up my enthusiasm and channelled my ‘serious marketer’ mindset as I attended a GDPR Masterclass. At 7.30am. In Birmingham City Centre.
I don’t even live in Birmingham. This is what is called dedication, people.
Our trainer, Simon, was straight with us from the get-go. He made it clear that this would not be fun, in the strictest sense of the word... but, wouldn’t you know it, he actually did make it quite fun. In places. Well, he was quite funny. In places. Let’s put it this way, after a two hour PowerPoint presentation, the room was still full of smiles, the majority of attendees had been furiously typing or scribbling away throughout (despite the fact that we knew we were going to receive the slides afterwards) and I don’t think I was the only one who felt a little more empowered and lot less daunted by the prospect of GDPR.
So, what is GDPR? The General Data Protection Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU) (thank you, Wikipedia).
Put simply, GDPR is like the Data Protection Act on steroids. It is far-reaching and it is actually in effect right now. However, it will only become enforceable next year. From 25th May 2018, to be exact.
So, what does GDPR cover? Well, it covers the processing of any data that is classed as Personally Identifiable Information (PII). This is a game changer. PII includes everything from a physical address to an IP address. It also includes data classed as ‘sensitive’ which covers religious and political beliefs, genetics and bio-metric data and even sexual preferences (although, admittedly, that’s one detail most data capture forms don’t ask for).
So, why should you care? You should care because of the potential fines for breaches, the costs of reparations you may have to make to individuals or groups (through class actions) and because of the short and long term damage a data breach can have on your organisation's reputation. And whatever happens during or after Brexit, this legislation and your obligations under it will still apply.
There’s a lot of information available direct from the ICO (Information Commissioner’s Office), the UK’s Supervisory Authority. And I would absolutely recommend getting along to a free seminar from experts who have achieved ISO/IEC 27001:2013 data security certification.
Personally, I also think you should care because it’s the right thing to do. Organisations are made up of individuals and as individuals, we all share PII, all day, every day.
Yet, we continue to see breaches. And often these breaches are committed by companies that should know better... right?
Well, as individuals within these organisations, especially those of us tasked with processing (and therefore protecting) data, we absolutely have a duty of care to review, escalate and understand the unique data challenges of our companies. So, bite the bullet... it's not as scary as you might think.