There’s a new gun in town called ‘General Data Protection Regulation’, or to give it it’s catchy title, GDPR. It’s going live and you need to be compliant by May 2018 if you handle customer data….think on that for a minute.
GDPR is a data protection regulation that is to extend the scope of protection for EU residents. Brexiteers don’t fear, it will still impact us when we aren’t in the EU.
The rules state that the extension of the data protection scope means that irrespective of company location if you hold or process data about an EU member, you’re in the dock.
Why the widespread panic? Well, let’s start with;
Article 5(2) requires that “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
You remember the audits and the stuff you made up the night before to satisfy a few risks in the register, or the minutes you drafted to cover the bases? You might want to prepare for this one, because if you screw this one up the fines might be a tad more sticky than a ‘minor’ non-conformance.
‘organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater)’ (source : www.eugdpr.org)
For context, if Amazon screw up, that’s £160M of potential fines. Let’s add in that you’re liable to inform of a breach also, so you need to confess your sins.
….but, and here’s the kicker, let’s face it the vast majority of the big boys will get around the rules by hiring an army of consultants (and yes, I’m available for a modest fee and happy to bill on a percentage of fines avoided).
Pity the Small Guys
Looking at some of the fines over the last couple of years based on the ICO rulings there are some concerns;
- Crown Prosecution Service
- Telegraph Media Group
- Talk Talk
- Hampshire County Council
- Serious Fraud Office
- Kent Police
- South Wales Police
If these guys can’t get it right with a less stringent regulation, what hope do we have in the new world and more significantly what hope do the smaller guys have.
I ran the ‘fine’ numbers against my local solicitors. They have branches in a few municpial towns and make a modest £212k revenue. Last time I went they had paper everywhere and I’m pretty sure they were running on Windows 3.1. I’m fairly sure the only amazon they’d heard of was the one that fits double glazing so the impact of cloud was whether to take an umbrella to the next meeting.
With a 4% breach that would be up £8k or €20M. A fairly wide range that one. Let’s hope it’s not Judge Judy presiding or you may be in trouble.
Data Protection is critical to how we live with huge swathes of information being stored and used for all kinds of purposes, never mind nefarious ones. The integrity of that data is of paramount importance. The lackadaisical approach to compliance by box-ticking has got to change. Building culture and business process around how things should work rather than trying to get your process lined up for audit day is the only way to go.
We all know that this will be sensibly applied and there won’t be a wash of huge fines for all and sundry because ICO wouldn’t do that.…
If you’re a small business (or a large one), I strongly advise you to read this, digest it, and read it again. The climate of compliance is going to change….don’t forget your umbrella